Previous Top News: 2021


  • The Ninth Circuit announced today police violated a defendant’s Fourth Amendment rights when they warrantlessly searched files that Google automatically reported using a proprietary algorithm designed to detect child sexual abuse material (“CSAM”). Prosecutors in the case, United States v. Wilson, had argued that the police officer’s search of the defendant’s files did not violate the Fourth Amendment because Google, a private party, had conducted the initial search. The district court agreed, finding that there was a “virtual certainty” that the files Google sent to police were identical to files previously identified by a Google employee as CSAM. But no Google employee reviewed the defendant's files before sending them to police—instead, Google automatically forwarded the files to law enforcement after a proprietary algorithm matched the files to previously-identified CSAM images. EPIC filed an amicus brief in the Ninth Circuit appeal to explain that prosecutors had failed to show that the proprietary Google algorithm reliably matched images. EPIC also urged the court to narrowly apply the private search exception. The Ninth Circuit found that the police search “allowed the government to learn new, critical information” and “expanded the scope of the antecedent private search because the government agent viewed Wilson’s email attachments even though no Google employee—or other person—had done so.” The Ninth Circuit also echoed EPIC’s amicus brief: “on the limited evidentiary record, the government has not established that what a Google employee previously viewed were exact duplicates of Wilson’s images.” The decision in this case diverges from previous federal appeals and state court decisions on the issue and may lead the Supreme Court to review the important privacy implications of mass automatic file scanning programs. (Sep. 21, 2021)

  • Nine Democratic Senators led by Senator Richard Blumenthal have called on the Federal Trade Commission to conduct a rulemaking process to "protect consumer privacy, promote civil rights, and set clear safeguards on the collection and use of personal data in the digital economy." "Americans’ identities have become the currency in an unregulated, hidden economy of data brokers that buy and sell sensitive information about their families, religious beliefs, healthcare needs, and every movement to shadowy interests, often without their awareness and consent," the Senators said. Senators Schatz, Wyden, Warren, Coons, Luján, Klobuchar, Booker, and Markey joined Senator Blumenthal on the letter. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. (Sep. 20, 2021)

  • The New Jersey Supreme Court today decided that dog owners in the state do not have a colorable claim to privacy in their names and addresses—but there may be a privacy interest in the names and breeds of their dogs. The case, Bozzi v. City of Jersey City, asked whether the privacy exemption to the state’s freedom of information law required government agencies to withhold the names and addresses of dog license holders when the only justification for disclosure was commercial interest in selling dog paraphernalia. EPIC filed an amicus brief and presented oral argument in the case, arguing that the privacy interests in names and addresses in government documents is well established under federal law and the state should follow the federal example. The court’s majority found no colorable claim to privacy for dog owners because “owning a dog is, inherently, a public endeavor”—owners take their dogs on “daily walks, grooming sessions, veterinarian visits,” “celebrate their animals on social media or bumper stickers” and “enter their dogs into public shows.” But, as the two dissenting justices retorted, “dog owners appearing in public with their dogs do not do so while simultaneously advertising their full names and addresses.” Further undermining the majority’s reasoning was the court’s recognition that other information in the dog license record—such as the name and breed of the dog, which is exposed to the public to the same degree as dog ownership, and moreso than the names and addresses of owners—may need to be redacted because of the privacy interests at stake. EPIC routinely participates as amicus in cases involving involuntary disclosure of personal information to third parties. (Sep. 20, 2021)

  • In a letter to the Secretary of Homeland Security, EPIC and a Coalition of privacy, civil rights, and civil liberties organizations demanded the Department of Homeland Security (DHS) end some of the agency’s more pervasive surveillance programs. The coalition called for DHS to end its practice of purchasing sensitive data (e.g. cellphone location and utility information) from third-party vendors and cease the collection of social media identifiers. The coalition also urged DHS to implement a moratorium on the use of face recognition for immigration enforcement. In previous comments to DHS, EPIC opposed DHS collecting social media identifiers and called for DHS to suspend the use of facial recognition. (Sep. 16, 2021)

  • In a report published today, the United Nations High Commissioner for Human Rights called on governments to “ban AI applications that cannot be operated in compliance with international human rights law and impose moratoriums on the sale and use of AI systems that carry a high risk for the enjoyment of human rights, unless and until adequate safeguards to protect human rights are in place.” The report also stresses the need for comprehensive data protection legislation in addition to a regulatory approach to AI that prioritizes protection of human rights. UN High Commissioner for Human Rights Michelle Bachelet explained: "The risk of discrimination linked to AI-driven decisions - decisions that can change, define or damage human lives - is all too real. This is why there needs to be systematic assessment and monitoring of the effects of AI systems to identify and mitigate human rights risks.” EPIC has long advocated for comprehensive data protection legislation, moratoriums on particularly dangerous tools and commonsense AI regulation to protect the public. (Sep. 15, 2021)

  • EPIC and a coalition of privacy and consumer rights group today sent a letter to Senators Ron Wyden and Mike Crapo of the Senate Finance Committee regarding a proposal under consideration in the budget reconciliation bill to expand the mandatory reporting regime for private financial information in the United States. The proposal would require peer-to-peer payment apps and other similar services such as Square Cash and Venmo to collect Taxpayer Identification Numbers (“TINs”) for virtually all payee accounts in order to comply with new reporting obligations. Because most individuals do not hold a separate TIN from their Social Security Number, unlike businesses, this means that these private entities will be collecting SSNs of millions of Americans. The groups urged the Senators to reject the Treasury Department’s proposal and instead explore ways to improve tax compliance that do not put Americans’ SSNs at risk. "At minimum, the expanded reporting requirement should be scaled back to apply only to business accounts or individual accounts with a high de minimus threshold, adjusted for inflation over time," the groups said. "Peer to Peer payment apps and other similar services that currently do not collect TINs should not be required to do so under the new reporting requirements." (Sep. 15, 2021)

  • Today, Senators Richard Blumenthal and Marsha Blackburn announced an investigation into Facebook’s knowledge and coverup of the harmful effects of Facebook’s Instagram on children and teenagers. The announcement follows a Wall Street Journal investigation which revealed that Facebook’s researchers found that Instagram is harmful to a “sizeable percentage” of its young users, most notably teenage girls. Internally, Facebook knew that Instagram’s effects on young people included increased anxiety and depression, body image issues, and thoughts of suicide. Publicly, CEO Mark Zuckerberg testified before Congress that Facebook’s research suggested that the use of its social media apps had positive mental health benefits to users. The Wall Street Journal uncovered several documents that “show that Facebook has made minimal efforts to address these issues and plays them down in public.” In response to Senators Blumenthal and Blackburn’s August 2020 request for Facebook to release its internal research on the matter, Facebook sent a six-page letter that did not include the company’s studies. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook. (Sep. 15, 2021)

  • The House Energy and Commerce Committee today approved a $1 billion appropriation for the Federal Trade Commission to create and operate a new bureau focused on privacy, data security, identity theft, data abuses, and related matters. EPIC strongly supports the appropriation, but urges Congress to follow up this budget measure with comprehensive privacy legislation and create an independent data protection agency. "This increased funding for enforcement is a step in the right direction, but the increasing pervasiveness of technology in our lives and our economy necessitates an update to our privacy laws and a dedicated agency," said Caitriona Fitzgerald, EPIC's Deputy Director. "While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency. Congress must follow up this budget measure with comprehensive baseline privacy legislation and the creation of an independent data protection agency. And the FTC should use these funds to promptly initiate a privacy rulemaking and go after unfair data practices and biased AI systems." EPIC has long advocated for the creation of a U.S. Data Protection Agency. (Sep. 14, 2021)

  • President Biden has nominated Alvaro Bedoya, founding director of the Georgetown Center on Privacy & Technology, to serve as member of the Federal Trade Commission. Bedoya will succeed Commissioner Rohit Chopra when confirmed by the Senate. As a legal scholar and advocate, Bedoya has exposed the harms and biases of facial recognition technology and argued for legislation that would prevent predatory and discriminatory targeting of online ads. Bedoya is the author of Privacy as a Civil Right, in which he details how "the burdens of government surveillance have fallen overwhelmingly on the shoulders of immigrants, heretics, people of color, the poor, and anyone else considered 'other'" and argues that privacy must be understood as a "shield that allows the unpopular and persecuted to survive and thrive." Bedoya previously served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. "Alvaro brings more than a decade of experience in privacy and surveillance issues, including a special focus on the impact that invasive technologies have on communities of color, to an FTC that needs to quickly and dramatically ramp up its responses to these emerging threats," said Alan Butler, EPIC's Executive Director. "There is no doubt that his expertise on these issues will put the Commission in a much better position to investigate data abuses and to craft new rules to bring these invasive business practices under control." (Sep. 13, 2021)

  • The U.S. Supreme Court announced Wednesday that it will continue streaming live audio of its oral arguments at least through December of this year. The justices will also resume holding arguments in person, though the Court building will remain closed to the public. The Court's announcement came the same day that EPIC and a coalition of over 75 civil society, transparency, media, and disability rights organizations wrote to the Court urging it to make live audio access to oral arguments permanent. The letter emphasized that "[f]air and equal justice can't be delivered without accountability and transparency. Ensuring that live audio of oral arguments remains accessible to the public . . . would promote transparency and increase public confidence in the nation's highest court." At the start of the COVID-19 pandemic, the Court began streaming live audio feed oral arguments for the first time in its history. More than 130,000 people streamed arguments live during the Court's May 2020 sitting, and oral arguments since the beginning of the pandemic have been streamed nearly three million times. During its last term, the Court held oral arguments by teleconference in four cases in which EPIC filed an amicus brief, including U.S. Fish & Wildlife Service v. Sierra Club, Van Buren v. United States, Facebook v. Duguid, and TransUnion v. Ramirez. (Sep. 9, 2021)

  • The Sixth Circuit has rejected a robocall defendant's bid to use the Supreme Court's decision last year in Barr v. American Association of Political Consultants to create immunity for illegal robocalls made between 2015 and 2020. In Barr, the Supreme Court found that an exception added in 2015 to the decades-old robocall restriction was unconstitutional and must be severed from the law. The defendant in the case before the Sixth Circuit, Lindenbaum v. Realgy, LLC, argued that the decision in Barr made the broad robocall ban unenforceable for the period between the unconstitutional exception's enactment and the Supreme Court's decision to sever, from 2015-2020. The district court agreed and threw the lawsuit out. The Sixth Circuit's decision reverses the district court and allows the robocall suit to continue. EPIC and the National Consumer Law Center filed an amicus brief in the case arguing that granting robocallers immunity “would reward those who made tens of billions of unwanted robocalls and deprive consumers of any remedy for the incessant invasion of their privacy.” EPIC regularly files amicus briefs supporting consumers in illegal robocall cases. (Sep. 9, 2021)

  • EPIC has submitted comments to the Biometrics and Surveillance Commissioner of the United Kingdom on proposed updates to the Surveillance Camera Code of Practice. The proposed updates focus on aligning the Code with developments in surveillance law and recent court decisions. EPIC recommended ways to more directly address risks to privacy and international human rights, including banning facial recognition technology, emotion recognition, and biometric categorization systems; setting clear assessment and consultation requirements for databases used for matching; and strengthening protections against improper use of facial and biometric recognition systems. EPIC has long fought to protect the public against surveillance, including by campaigning to ban facial recognition technology and filing suit against agencies misusing surveillance technology. EPIC recently brought suit against the Postal Service over its unlawful use of facial recognition and social media monitoring tools. (Sep. 9, 2021)

  • The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward. (Sep. 2, 2021)

  • EPIC has joined with several international privacy and human rights advocacy groups in a statement calling for privacy reform in the wake of allegations that the Indian government used Pegasus to surveil activists, journalists, and opponents. The statement highlights the fundamental right to privacy established under both the Indian Constitution and international human rights law, condemns the illegal use of spyware, and calls for (i) an independent investigation into allegations of Pegasus use; (ii) surveillance reform ensuring independent judicial oversight and providing for judicial remedy; and (iii) establishing a data protection framework that will respect privacy rights. EPIC has previously filed suit against the U.S. Department of Homeland Security to obtain records of a system designed to surveil journalists⁠—the surveillance effort was subsequently suspended. In addition, EPIC has previously joined coalition letters calling for surveillance reform within the U.S. and has testified before Congress regarding the risks of commercial spyware. (Aug. 26, 2021)

  • In a new report, the Government Accountability Office (GAO) surveyed 24 federal agencies on their use of facial recognition technology. The report reveals that 18 of those agencies are using facial recognition for purposes including law enforcement, physical security/surveillance, and digital access. Ten of those agencies, including the Department of Homeland Security, the Department of Justice, and the State Department plan to expand their use of facial recognition in the near future by acquiring new systems. According to the GAO, 27 states and 6 municipalities currently allow federal agencies to access non-federal facial recognition systems. The GAO's report follows the office's June report that 42 federal law enforcement agencies are using facial recognition technology with little to no oversight. According to the report, many agencies were unaware that employees were using the technology. The report also reveals that the Department of the Interior accessed the DC-area NCR-FRILS facial recognition system. EPIC organized a coalition opposing the system, leading to its shutdown in July of this year. EPIC recently filed suit against the U.S. Postal Service for using of facial recognition and social media monitoring technology without completing statutorily required Privacy Impact Assessments.

    (Aug. 26, 2021)

  • EPIC, through a freedom of information request, has obtained new records about the D.C. Department of Human Services’ use of automated systems to track and assign “risk score[s]” to recipients of public benefits. The documents show that DCDHS has contracted with Pondera, a Thomson Reuters subsidiary, for case management software and a tool known as “Fraudcaster.” Fraudcaster tracks location history and other information about people receiving public benefits, combining this information with “DHS data and pre-integrated third-party data sets” to yield supposed risk scores. Factors that may cause the system to label someone as riskier include “travel[ing] long distances to retailers” and “display[ing] suspect activity.” Thomson Reuters also offered a free trial of its CLEAR service to the DCDHS as an incentive to sign the Pondera contract quickly. CLEAR is “powered by billions of data points” and claims to “identif[y] potential concerns associated with people.” The system is used by Immigration & Customs Enforcement and other law enforcement agencies in the U.S. EPIC is pursuing more information about DCDHS’s use of Pondera systems and mapping out automated decision-making tools used in D.C. through the EPIC Scoring and Screening Project. EPIC advocates for algorithmic transparency and accountability, particularly for systems used to make high-impact decisions like public benefit determinations. (Aug. 25, 2021)

  • EPIC has submitted feedback to NIST to inform the development of an AI Risk Management Framework that will assist developers, users, and evaluators of AI systems in assessing and improving those systems. EPIC's feedback includes background on the proliferation of AI system use and the many potential and already-occurring harms stemming from that use, noting that this framework must take into account and meaningfully act to prevent those harms. EPIC recommends that the framework prioritize (i) protection of individuals affected by AI systems, (ii) accountability for AI system development and use, and (iii) interoperability with emerging and current AI and privacy regulations. EPIC frequently advocates for algorithmic justice, transparency, and accountability and has recently submitted comments on the European Commission's proposes Artificial Intelligence Act and the OECD Framework for Classifying AI Systems. (Aug. 19, 2021)

  • The Federal Trade Commission has refiled its antitrust complaint against Facebook after a federal court dismissed its original complaint in June. In the new complaint, the FTC alleges that Facebook used illegal anticompetitive methods to thwart competition and maintain a monopoly, including by buying competitors like Instagram and WhatsApp. The complaint details how Facebook’s practices enabled the social media giant to maintain its dominance at the expense of competition and consumers. For example, before Facebook’s acquisition of WhatsApp, the messaging platform “embraced privacy-focused offerings and design, including the principle ‘of knowing as little about you as possible’ and an ads-free subscription model” which provided “an important form of product differentiation for WhatsApp as an independent competitive threat in personal social networking.” The FTC also highlights the importance of meaningful competition, without which “Facebook has been able to provide lower levels of service quality on privacy and data protection than it would have to provide in a competitive market.” This complaint is the highest profile challenge that the Commission has brought against any tech company in decades. EPIC has long urged the FTC to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

    (Aug. 19, 2021)

  • EPIC has filed a lawsuit against the U.S. Postal Service to block the use of facial recognition and social media monitoring tools under the Internet Covert Operations Program (iCOP). EPIC’s case challenges the Postal Service’s failure to conduct and publish the Privacy Impact Assessment mandated by the E-Government Act before procuring and using advanced surveillance systems under iCOP. EPIC is seeking a court order to block iCOP from using these tools at least until the Postal Service has conducted the required assessment. EPIC brought suit after the Postal Service failed to locate a PIA in response to EPIC’s Freedom of Information Act request. Under iCOP, law enforcement officials the U.S. Postal Inspection Service monitored protests in the summer of 2020 and spring of 2021 and used Clearview AI’s controversial facial recognition product to identify individuals. The iCOP’s surveillance of protests and tracking of “inflammatory” content goes far beyond the program’s mandate to investigate fraud and other crimes perpetuated through the mail or USPS’s website. EPIC has previously used the E-Government Act to block the deployment of a media surveillance platform by the Department of Homeland Security and to halt the collection of voter data by the Presidential Advisory Commission on Election Integrity. (Aug. 12, 2021)

  • The World Health Organization (WHO) has issued guidance on documentation of COVID-19 vaccination certificates. Among other items, the guidance outlines ethical and data protection considerations, different use scenarios, and procedures for use and verification. Critically, the guidelines emphasize that emergency circumstances do not permit authorities to ignore legal obligations relating to privacy and human rights. The guidelines also mandate data protection safeguards and warn against normalizing surveillance of health information. EPIC has previously recommended that public health responses to the pandemic be consistent with privacy and human rights standards and urged authorities to limit unnecessary collection and use of vaccine-related personal data by third parties, including pharmacies. (Aug. 11, 2021)

  • EPIC and the National Consumer Law Center have filed an amicus brief in a case that highlights the privacy-invading behavior of the online lead generator industry. The plaintiffs in the case, McCurley v. Royal Seas Cruises, are trying to hold a cruise company accountable for tens of thousands of illegal robocalls made on its behalf by a foreign telemarketing company using leads from two unscrupulous online lead generators. The trial court dismissed the case against Royal Seas Cruises because a provision in their contract with the telemarketer that said the telemarketer would comply with the federal anti-robocall law, the Telephone Consumer Protection Act. EPIC and NCLC argue in their brief that a simple contract provision cannot absolve Royal Seas Cruises from responsibility for these illegal robocalls. The amicus brief highlights the unscrupulous practices of the lead generator industry, including recent lawsuits accounting for millions of illegal calls and FTC enforcement actions against deceptive lead generator practices. EPIC and NCLC also argue that failure to hold Royal Seas Cruises accountable would "dramatically weaken TCPA enforcement, denying consumers any remedy for their privacy injuries, and leaving consumers unprotected from future harms." EPIC routinely files amicus briefs in TCPA cases. (Aug. 10, 2021)

  • EPIC submitted comments identifying gaps and proposing privacy and fundamental rights-preserving updates to the European Commission's Proposal for Harmonized Rules on Artificial Intelligence (the Artificial Intelligence Act or "AIA"). The AIA is intended as a step forward in proactive regulation of AI system use. However, EPIC's comment describes how unaddressed privacy and human rights concerns may allow AI systems to be used in ways that cause serious harm to individuals interacting, knowingly or unknowingly, with those systems. EPIC recommends that the Commission (i) remove the broad exemptions on regulatory requirements for AI systems and expand prohibitions where necessary, (ii) mandate prior notification to individuals subject to AI system decision-making, (iii) fully ban emotion recognition and biometric categorization systems, and (iv) mandate review and approval of AI system conformity assessments by data protection authorities prior to use. EPIC advocates for algorithmic justice, transparency, and accountability, and recently submitted comments on the OECD Framework for Classifying AI Systems, recommending changes to more robustly address privacy concerns. (Aug. 6, 2021)

  • The Massachusetts Supreme Judicial Court issued an opinion in Commonwealth v. Zachary finding that when Boston Police accessed two days of rider history from a metro pass they did not perform a search under the Fourth Amendment. The court first followed an argument from EPIC's amicus brief urging the court to reject the third-party doctrine for electronic data collected by a third party from an individual for the purpose of obtaining a service. The court decided, "we reject the doctrine as applied to this case, where the data at issue has no connection to the limited purpose for which an individual uses a CharlieCard." The court then applied the mosaic theory of the Fourth Amendment which looks at the whole sweep of a government action and the insights derived when individual data points are aggregated to determine whether a search occurred under the Constitution. The court held that while "an extensive record of an individual's MBTA activity could constitute a search under the mosaic theory, the minimal amount of data obtained in this case does not constitute a violation of art. 14 or the Fourth Amendment." EPIC previously filed an amicus brief in the landmark location privacy case Carpenter v. United States, in which the Supreme Court held that collecting seven days of cell phone location data, considered in aggregate, constituted a search. (Aug. 5, 2021)

  • EPIC and the Center for Democracy & Technology have filed an amicus brief supporting Los Angeles residents' court fight against a city initiative to collect detailed location information on all individual e-scooter trips taken in Los Angeles. The lawsuit is currently on appeal after the trial court dismissed the case because it found no privacy interest in the data. EPIC and CDT's amicus brief describes how Los Angeles spearheaded a new data collection pipeline called the Mobility Data Specification (or MDS) to standardize the location data that ride share providers collect so that the data can easily be disclosed to governments for analysis—and, potentially, surveillance. EPIC and CDT wrote that MDS has the "power to turn a so-called 'smart city' into a surveillance state that is inimical to the Fourth Amendment." The amicus brief describes how MDS was developed to track any shared mobility vehicle, and that Los Angeles already had plans to expand the program to rideshare data from Uber and Lyft. EPIC and CDT also argued that the city's policy goals could be achieved without collecting individual trip data, and described how aggregation, differential privacy, and sampling are widely used to analyze mobility data and protect privacy more than bulk disclosure of individualized trip data. EPIC routinely files amicus briefs in cases applying the Fourth Amendment to novel technologies. (Aug. 3, 2021)

  • In comments responding to a Homeland Security Department (DHS) Request for Information, EPIC urged the agency to slow its investigation into mobile driver's license technology and implement only systems with the most rigorous cryptographic and privacy-preserving design standards. EPIC recently urged the National Institute of Standards and Technology to adopt anonymous credentialing for identity verification cards for federal employees. (Jul. 30, 2021)

  • A new poll from Data for Progress found that 7 in 10 Americans think the government should be doing more to keep their personal data safe and nearly 8 in 10 Americans across the political spectrum support Senator Gillibrand's Data Protection Act, which creates a U.S. Data Protection Agency. "Our government must continue to evolve alongside our society, and adapt to meet new challenges the American people face," Senator Gillibrand said in a blog post. "I believe the best way to do that is by creating a new federal agency designed with your data privacy in mind: the Data Protection Agency." EPIC has long advocated for the creation of a U.S. Data Protection Agency. (Jul. 29, 2021)

  • Today, U.S. Rep. Kathy Castor (FL14) introduced an updated “Protecting the Information of our Vulnerable Children and Youth Act” or the “Kids PRIVCY Act” to strengthen the Children’s Online Privacy Protection Act (COPPA). "Representative Castor’s bill makes critical updates to our children's privacy laws to address the dangers of today’s technologies," said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). "Everyone deserves strong privacy protections online, but children and teens especially need to be protected from corporate surveillance and manipulative targeted advertising. The Kids PRIVCY Act prohibits behavioral ad targeting to children and teens and includes strong enforcement mechanisms to ensure that companies comply with the law. EPIC is proud to support this bill and encourages Congress to move this legislation forward in order to protect children and teens online." (Jul. 29, 2021)

  • EPIC is pleased to announce the newest members of the EPIC Advisory Board. EPIC's new members are leading experts in privacy, technology, and civil liberties law and policy. These experts will help inform EPIC’s important work on emerging privacy and human rights issues. Since its inception, the EPIC Advisory Board has been comprised of innovative and solution-oriented scholars, experts, and advocates. EPIC’s newest Members are: Colleen Brown, Simone Browne, Mishi Choudhary, Michele Bratcher Goodwin, Adrian Gropper, Marcia Hofmann, Jumana Musa, Scott Skinner-Thompson, Ashkan Soltani, Amie Stepanovich, and Katherine Strandburg. (Jul. 26, 2021)

  • The House of Representatives passed the Consumer Protection and Recovery Act (H.R. 2668) Tuesday on a 221-205 vote. The bill explicitly authorizes the Federal Trade Commission to seek monetary relief for injured consumers in federal court and to require bad actors to return money obtained through illegal actions. The amendment to the FTC Act restores a key piece of the FTC's Section 13(b) power, which the FTC previously used to obtain restitution and disgorgement for wronged consumers until the Supreme Court recently limited this authority in AMG Capital Management v. FTC. On Monday, the House Rules committee voted to advance the bill to a floor vote, with bill sponsors stressing that “the urgency is not hypothetical.” The White House has also expressed support for the bill. EPIC has long called for greater protection of consumer privacy through FTC enforcement and the imposition of financial penalties against companies who engage in unfair data practices. Recently, EPIC published a report that highlighted a number of key authorities that the FTC should use to address emerging privacy threats.

    (Jul. 21, 2021)

  • Senator and veteran privacy advocate Ron Wyden recently sent a letter to the Acting Intelligence Community Chief Information Officer urging him to protect intelligence community computers and personnel from threats posed by the sale and misuse of online advertising data. The letter emphasized that advertising companies operate in an unregulated market where they can "collect vast amounts of sensitive information about users, their movements, web browsing, and other online activities" and then offer that information "for sale to anyone with a credit card." Senator Wyden previously led an investigation that uncovered the ways advertising companies were selling so-called "bidstream" data to firms in China, Russia, and other high-risk foreign countries. The sale of bidstream data poses both privacy and national security risks because that data includes precise location information of Americans as well as their device identifiers and browsing histories. In the letter, Sen. Wyden sought information on how, if at all, the intelligence community protects data from online advertisers, including through the use of ad blocking technologies. EPIC has repeatedly raised concerns over the collection of vast amounts of data online and has joined a growing coalition of groups in their call to Ban Surveillance Advertising. (Jul. 21, 2021)

  • EPIC has filed an amicus brief with the ACLU and EFF in United States v. Morton urging the full Fifth Circuit to prohibit invasive forensic searches of cell phones when law enforcement only has probable cause to search some of the data on the phone. In Morton, police obtained a warrant to search the defendant's cell phone for evidence of an alleged drug crime, but instead conducted a forensic search of the phone's full contents and uncovered evidence of an entirely unrelated crime. A Fifth Circuit panel ultimately found that the search violated the Fourth Amendment because it reached a type of data on the phone that was not likely to contain evidence of the specific crime being investigated. EPIC, ACLU, and EFF applauded the panel's recognition that "the scope of cell phone searches must closely adhere to the probable cause showing, lest authority to search a device for evidence of one crime mutate into authority to search the entirety of the device for evidence of any crime—a prohibited general search." The groups argued that, in an age when "Americans’ dependency on smartphones has, intentionally and inadvertently, resulted in our phones containing vast troves of our personal information, strict limits on searches and seizures are necessary to preserve privacy" and that technological and administrative convenience "is no justification for discarding the Fourth Amendment’s probable cause and particularity requirements." EPIC regularly files amicus briefs challenging unconstitutionally broad cell phone searches, including forensic searches of entire cell phones. (Jul. 14, 2021)

  • EPIC and a coalition of privacy and civil liberties groups are calling for stores to stop using facial recognition technology. The new campaign tracks which major retailers use or are considering using facial recognition and aims to pressure these entities to stop. Corporate use of facial recognition is especially concerning because, according to Sen. Ron Wyden, government agencies are already buying surveillance information from corporations to evade warrant requirements. EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of FR, and EPIC's Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same. (Jul. 14, 2021)

  • In comments to the Homeland Security Department (DHS), EPIC highlighted systemic problems with several DHS systems that use facial recognition or artificial intelligence and urged the agency to end these programs. EPIC also urged DHS to put in place rigorous algorithmic impact assessments before the agency undertakes any other AI or facial recognition projects. Recently, EPIC joined over 40 other organizations to detail the issues with cops using facial recognition and call for a law enforcement ban on the technology's use. EPIC has proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. (Jul. 13, 2021)

  • The Executive Order signed today by President Biden addressing competition in the American economy requires the Department of Transportation to address drone privacy. "[G]iven the emergence of new aerospace-based transportation technologies, such as low-altitude unmanned aircraft system deliveries, advanced air mobility, and high-altitude long endurance operations," the Executive Order reads, the Secretary of Transportation shall ensure that the Department of Transportation take action to "facilitate innovation that fosters United States market leadership and market entry to promote competition and economic opportunity and to resist monopolization, while also ensuring safety, providing security and privacy, protecting the environment, and promoting equity." EPIC has long highlighted the privacy and civil liberties implications of aerial surveillance technology and has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." (Jul. 9, 2021)

  • President Biden today signed a wide-ranging executive order with the aim of promoting competition. EPIC has long argued that market consolidation in online platform threatens privacy. The Executive Order aims to address the ways in which dominant tech firms are undermining competition and reducing innovation in three ways: 1) greater scrutiny of mergers, especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by “free” products, and the effect on user privacy; 2) encouraging the FTC to establish rules on "unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy"; and 3) encouraging the FTC to establish rules barring unfair methods of competition on internet marketplaces. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.

    (Jul. 9, 2021)

  • EPIC has reached a settlement agreement in EPIC v. AI Commission, bringing to a close EPIC's successful litigation to open up the proceedings of the National Security Commission on Artificial Intelligence. The Commission was charged by Congress with developing recommendations on the use of AI in national security and defense contexts. But after the Commission conducted much of its work in secret and without public input, EPIC filed an open government lawsuit against the Commission in 2019. EPIC twice prevailed in the case, securing court rulings that the Commission was subject the Freedom of Information Act and the Federal Advisory Committee Act. As a result, the Commission was forced to hold public meetings and disclose thousands of pages of records about its work to EPIC. The Commission issued its final report this spring, urging Congress and the President to implement key safeguards on federal AI deployment. However, the report failed to propose any substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year. EPIC's settlement with the Commission resolves EPIC's claim to attorney's fees for its work on the case. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Jul. 7, 2021)

  • In comments to the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and the National Credit Union Administration (Financial Agencies), EPIC highlighted concerns with accuracy and bias of AI systems used by financial actors. EPIC urged the agencies to promulgate rules limiting data collection, sharing, and use, as well as require rigorous impact assessments in order to increase transparency and accountability. EPIC argued that “The adoption of AI by financial actors should not be treated as inevitable, and the agencies are uniquely posed to protect consumers through data collection and use limits, reporting and accountability requirements, and bans on certain discriminatory or untested uses of AI.” EPIC has urged both the White House and Congress to prioritize human rights over AI adoption and has recommended the OECD Principles and the Universal Guidelines for Artificial Intelligence as baseline frameworks for regulating AI and mitigating algorithmic harms. (Jul. 1, 2021)

  • A federal court has rejected an effort by Alabama to scrap the Census Bureau's system for protecting personal data collected in the 2020 Census. Earlier this year, Alabama filed a lawsuit challenging the Bureau's deployment of differential privacy, in which controlled amounts of statistical noise are added to published census data to prevent individuals from being identified and linked with their census responses. The Bureau recently demonstrated that sophisticated "attacks" can identify tens of millions of people from published census data unless robust privacy safeguards are implemented. Alabama sought a preliminary injunction blocking the Bureau's use of differential privacy, but the court denied that motion this week and dismissed many of the claims in the case. Alabama said that it does not plan to appeal this week's ruling, but the case may develop further after the Bureau publishes redistricting data in August. EPIC filed an amicus brief in the case arguing that differential privacy is "the only credible technique" to guard against reidentification attacks. EPIC also argued that differential privacy "is not the enemy of statistical accuracy," but rather "vital to securing robust public participation in Census Bureau surveys[.]" EPIC has long advocated for the confidentiality of personal data collected by the Census Bureau. In 2004, Bureau revised its "sensitive data" policy after an EPIC FOIA request revealed that the Department of Homeland Security had improperly acquired census data on Arab Americans from following 9/11. In 2018, EPIC filed suit to block the citizenship question from the 2020 Census, alleging that the Bureau failed to complete several privacy impact assessments required under the E-Government Act. (Jul. 1, 2021)

  • The Maine Legislature has enacted the country's strongest statewide facial recognition law. Maine's new law prohibits public officials and public employees at the state, county and municipal levels from possessing and using facial recognition technology, with extremely limited exceptions. The Maine law includes a private right of action, meaning that individuals may bring a lawsuit if they believe a government agency or official has violated the law. EPIC Board Member Shoshana Zuboff testified in support of the legislation. "An individual’s ability to control access to his or her identity and personal information, including determining when, how, and to what purpose these are revealed, is an essential aspect of personal security and privacy guaranteed by the Bill of Rights," Professor Zuboff said. "The use of facial recognition technology erodes that ability." EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of FR, and EPIC's Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same. (Jun. 30, 2021)

  • The Wisconsin Supreme Court issued an opinion in Wisconsin v. Burch finding that cell phone data downloaded with a forensic device can be used in a subsequent, unrelated investigation and trial regardless of whether the data was initially obtained without a warrant in violation of the Fourth Amendment. A police department used a forensic device to download the entire contents of the defendant's phone while investigating a hit-and-run and retained a full copy indefinitely. The sheriff's office later accessed and searched the copy during an unrelated homicide investigation and used the defendant's cell phone data as evidence during his trial. The Wisconsin Supreme Court refused to decide the constitutional question. Instead, the Court found that the evidence should not be excluded because the police "acted by the book" and there was no conduct to deter with exclusion. The Court said that the sheriff's office "ha[d] every reason to think [the downloaded data] was lawfully obtained" and found there was no police misconduct because it is "common police practice to share records with other agencies." Dissenting from this holding, Judge Bradley, along with two other justices of the court, recognized that law enforcement "generally needs a warrant to search the data [cell phones] hold." She added that the exclusionary rule should apply in this case because "excluding evidence obtained by following such an unlawful and widespread policy provides significant societal value by both specifically deterring continued adherence to an unconstitutional practice and more broadly incentivizing police agencies to adopt policies in line with the Fourth Amendment." EPIC, along with the ACLU and EFF, filed an amicus brief in the case that argued that the unchecked use of forensic devices to download, store, and share cell data violated the Fourth Amendment by "enabl[ing] the State to rummage at will among a person's most personal and private information whenever it wanted, for as long as it wanted" without a warrant. EPIC regularly files amicus briefs challenging unlawful access to cell phone data. (Jun. 29, 2021)

  • In a report, the Government Accountability Office found that 13 federal law enforcement agencies are unable to track employees use of facial recognition services and reported that 20 agencies use some form of facial recognition. Eight agencies own systems while 17 agencies used a system outside the agency in the last two years. The report found that 10 agencies used Clearview AI and 5 used its competitor Vigilant Systems. The GAO also reported that most federal law enforcement agencies were unable to comply with Privacy Act and E-Government Act requirements because the agencies do not track employee use of outside facial recognition systems. EPIC has an ongoing lawsuit under the Freedom of Information Act seeking documents on Immigration and Customs Enforcement's use of Clearview AI and other facial recognition services. Recently, EPIC joined over 40 other organizations to detail the issues with law enforcement’s use facial recognition and call for a law enforcement ban on the technology's use. (Jun. 29, 2021)

  • EPIC has joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. The text as it stands could force companies using strong security protections - such as end-to-end encryption - to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption. (Jun. 29, 2021)

  • A federal court in Washington, D.C. has dismissed a pair of antitrust lawsuits brought against Facebook by the Federal Trade Commission and 48 state attorneys general—but left open the possibility that the FTC could revive its case. The lawsuits allege that Facebook has illegally stifled competition to maintain its social networking monopoly, driving down "the quality and variety of privacy options" available to users (among other harms). But Judge James E. Boasberg ruled that the FTC and attorneys general had waited too long to challenge aspects of Facebook's Instagram and WhatsApp acquisitions, and that the FTC had failed to adequately define the social networking "market" in which Facebook exercises monopoly power. Judge Boasberg noted that the FTC may be able to correct the second issue in an amended complaint and move forward with its case. EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward. (Jun. 28, 2021)

  • The U.S. Supreme Court issued a decision today in TransUnion LLC v. Ramirez, an important case about the ability of individuals to bring privacy cases in federal court. The Court, in a controversial 5-4 decision authored by Justice Kavanaugh, held that proof of "concrete harm" is required to establish standing to sue under Article III of the U.S. Constitution. The jury in this case found that TransUnion had willfully violated the Fair Credit Reporting Act (FCRA) when it falsely flagged the credit reports of thousands of individuals for being "Specially Designated Nationals" under the Office of Foreign Asset Controls list that includes terrorists, drug trafficers, and other sanctioned individuals. The Supreme Court held that the group of individuals who could prove that these false credit reports had been disclosed to third parties had standing to sue, but the group who did not provide evidence that their reports had been disclosed did not meet the burden under Article III.

    This decision will have significant implications for individuals seeking redress in federal court for privacy violations that do not involve the improper disclosure of personal information. EPIC filed an amicus brief in TransUnion, urging the Court to hold that people can sue when their privacy rights are violated, regardless of whether they allege that the violation led to other harms. Justice Thomas, joined by three other members of the Court, agreed and would have ruled that standing exists in any case brought by an individual to vindicate a violation of their private rights. EPIC's Executive Director, Alan Butler, said that "the Supreme Court's decision in TransUnion does not close the door on all privacy claims, but it certainly makes it more difficult for individuals to seek redress in privacy cases that don't involve improper disclosure of information." EPIC previously filed an amicus briefs on this issue with the Supreme Court in Spokeo v. Robbins and frequently files amicus briefs in cases interpreting standing under a variety of privacy laws.

    (Jun. 25, 2021)

  • The en banc 4th Circuit ruled today that Baltimore's warrantless aerial surveillance program violates the Fourth Amendment because it "enables police to deduce from the whole of individuals' movements[.]" The Aerial Investigation Research program was a public-private partnership with Persistent Surveillance Systems that flew several surveillance planes above Baltimore, capturing detailed video of 32 square miles of the city per second. Using the AIR pilot program, Baltimore Police were able to track individual movements throughout the city for up to 12 hours a day. The pilot program was not renewed at the end of its 6-month term last year. EPIC joined an amicus brief in the case, arguing that under Carpenter v. United States the Baltimore Police Department's ability to track individuals with at least 45 days of flight video augmented by automated license plate reader systems constituted a search. EPIC previously filed an amicus brief in Carpenter v. United States and has long fought to limit drone surveillance and other forms of aerial spying. (Jun. 24, 2021)

  • The House Judiciary Committee is today holding a markup session on six bills aimed at disrupting the monopoly power of Big Tech. EPIC has long argued that market consolidation in online platform threatens privacy. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp. (Jun. 23, 2021)

  • As part of EPIC's ongoing lawsuit for cell phone surveillance orders issued by federal prosecutors, the Department of Justice identified 182 orders and warrants for cell phone location data under § 2703(d) from the U.S. Attorney's Office for the District of Rhode Island from 2016-2019. During the same time period, the office handled 453 criminal cases. The District of Rhode Island is one of the smallest districts in the country. EPIC has previously obtained the number of location data requests for the District of Delaware and the Virgin Islands, two of the five districts that the DOJ has agreed to search for location data requests. EPIC is awaiting responses from two of the agency's other prosecutor's offices and will continue to update its comparative table as remaining districts release more information. Currently, prosecutors do not release any comprehensive or uniform data about their surveillance of cell phone location data. In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that the collection of cell phone location data without a warrant is a violation of the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.). (Jun. 21, 2021)

  • In a joint opinion regarding the European Commission's Proposal for Regulation on artificial intelligence, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) called for a ban on the use of "AI for automated recognition of human features in publicly accessible spaces, and some other uses of AI that can lead to unfair discrimination." Europe's two main data protection authorities also critiqued the European Commission for failing to include international law enforcement efforts in the proposed regulations. The joint opinion is the latest in an increasing chorus of calls for a ban on facial recognition. EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of FR, and EPIC's Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same. (Jun. 21, 2021)

  • EPIC has petitioned the full D.C. Circuit Court of Appeals to reverse a recent decision by a three-judge panel allowing the FAA's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit in 2018 against the industry-dominated Committee, which consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records under the Federal Advisory Committee Act. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees—a decision that divided panel of the D.C. Circuit affirmed in April. Circuit Judge Robert L. Wilkins, writing in dissent, accused the majority of "doing violence to the text" of the FACA and argued that the decision "undermines FACA's purpose and greenlights an easily abusable system[.]" EPIC's petition highlights ways in which the panel's opinion conflicts with past D.C. Circuit decisions and warns that the ruling gives federal agencies "a legal roadmap to evade the public scrutiny that Congress intended FACA to provide. " The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (Jun. 18, 2021)

  • In a coalition letter, EPIC and more than twenty civil society groups called for reforms to surveillance statutes authorizing collection of sensitive information and gag orders. The letter follows recent revelations that the Department of Justice spied on members of Congress and the press by collecting their communications and issued gag orders to hide that surveillance. The coalition also called for a thorough investigation by Congress and the DOJ. EPIC recently endorsed a bill to stop government use of facial recognition and other biometric surveillance tools. (Jun. 18, 2021)

  • The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)

  • Senator Kirsten Gillibrand (D-NY) has introduced the Data Protection Act of 2021 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "It’s time for America to catch up with the rest of the world and create a Data Protection Agency," said Caitriona Fitzgerald, EPIC Deputy Director. "Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach. Senator Gillibrand’s Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory. The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans. EPIC urges Congress to enact the Data Protection Act." EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. [Bill text] [Sen. Gillibrand Press Release]

    (Jun. 17, 2021)

  • EPIC has released a report highlighting numerous statutory authorities that the Federal Trade Commission has failed to use to safeguard privacy. The report, What the FTC Could Be Doing (But Isn't) to Protect Privacy, identifies untapped or underused powers in the FTC's toolbox and explains how the FTC should deploy them to protect the public from abusive data practices. EPIC's report also criticizes the FTC's lack of effective privacy enforcement over the past two decades. "A common refrain from the Commission during this period is that it lacks the authority to address these mounting threats to individual privacy," the report explains. "But the FTC has not made full use of the authorities that it already has." The report comes a day after Lina Khan was confirmed to the FTC and named chairwoman of the Commission. EPIC has frequently challenged the FTC over its failure to address consumer privacy harms and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also supports legislation that would restore the FTC's 13(b) authority to obtain restitution for individuals harmed by companies’ unlawful trade practices, which the Supreme Court recently curtailed in AMG Capital Management v. Federal Trade Commission. (Jun. 16, 2021)

  • Senator Edward J. Markey (D-Mass.), along with Senators Merkley, Sanders, Warren, and Wyden, as well as Congresswomen Jayapal, Pressley, and Tlaib today introduced legislation to stop government use of biometric surveillance, including facial recognition tools. The Facial Recognition and Biometric Technology Moratorium Act prohibits the use of facial recognition and other biometric technologies by federal agencies, including Customs and Border Protection. "Facial recognition poses a significant threat to our democracy and privacy," said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). "Facial recognition technology has been shown time and time again to be biased, inaccurate, and disproportionately harmful to people of color. The Facial Recognition and Biometric Technology Moratorium Act of 2021 would effectively ban law enforcement use of this dangerous technology. EPIC is proud to support it.” EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. Recently, in an open letter EPIC and a coalition of more than 175 civil society organizations and prominent individuals called for "an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance."

    (Jun. 15, 2021)

  • Lina Khan was confirmed to the Federal Trade Commission by the U.S. Senate and named chair of the Commission by President Biden today. Khan received bipartisan support, with senators voting 69-28 in support of her confirmation. Khan is an expert on antitrust enforcement and served as counsel to House Antitrust Subcommittee Chairman David Cicilline during the Subcommittee's groundbreaking investigation last year. She has written extensively on the problems of concentrated power in the context of digital markets and said during her confirmation hearing that "I worry that some of these companies may think it's just worth the cost of business to actually violate privacy law." EPIC has long argued that the FTC is not doing its job to protect privacy and that the U.S. needs a Data Protection Agency. "Commissioner Khan has a tremendous opportunity as Chair to transform the FTC at a moment where anticompetitive and invasive business practices have proliferated," said Alan Butler, Executive Director of the Electronic Privacy Information Center (EPIC). "Large tech companies have increasingly infiltrated our lives to the most minute level, and it will take a keen and aggressive regulator to ensure that these powerful entities don't monopolize our markets and our data."

    (Jun. 15, 2021)

  • The U.S. Supreme Court has vacated the Ninth Circuit's decision in LinkedIn v. hiQ Labs but will not decide the merits of the case, instead sending the case back to the Ninth Circuit for a new decision in light of Van Buren v. United States. EPIC had filed an amicus brief in support of the Petition for Certiorari. The LinkedIn v. hiQ petition asked whether hiQ lacked authorization to access LinkedIn's servers under the Computer Fraud and Abuse Act after LinkedIn used a combination of technical and verbal methods to cut off hiQ's access to the website to stop the company from scraping user data. hiQ sued LinkedIn to regain access to the website, arguing that its business model depended on access to LinkedIn user data. A district court granted hiQ's request for an injunction, which LinkedIn appealed. EPIC filed an amicus brief in the Ninth Circuit arguing that the injunction was "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." The Ninth Circuit upheld the injunction, finding that hiQ's economic interests outweighed the interests in protecting users' personal information. In its amicus brief in support of LinkedIn's petition for cert, EPIC explained that the Ninth Circuit's decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data." The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system. The case will most likely be sent back to the district court for a new decision that accords with Van Buren v. United States. (Jun. 14, 2021)

  • In a report to Parliament the Canadian Privacy Commissioner concluded that the Royal Canadian Mounted Police (RMCP) violated the Canadian Privacy Act by using Clearview AI's facial recognition project. The Commissioner's report follows a February 2021 investigative report that Clearview AI violated Canada's Personal Information Protection and Electronic Documents Act by scraping images off social media sites to create a facial recognition database so that "billions of people essentially found themselves in a '24/7' police line-up." Recently, in an open letter EPIC and a coalition of more than 175 civil society organizations and prominent individuals called for "an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance." (Jun. 10, 2021)

  • In a DC Council Hearing (video starts at 13:22), Chairman Phil Mendelson asked Metropolitan Washington Council of Government's (MWCOG's) Executive Director Chuck Bean for more information on the soon to be shuttered DC-area facial recognition system. The Chairman's questions were prompted by a meeting with EPIC in which EPIC staff pushed for more disclosures on the MWCOG's role in the creation of a secret facial recognition system used to surveil Black Lives Matter protesters last year. Recently, EPIC joined over 40 other organizations to detail the issues with cops using facial recognition and call for a law enforcement ban on the technology's use. (Jun. 10, 2021)

  • EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE] (Jun. 10, 2021)

  • EPIC has filed an amicus brief in Cothron v. White Castle, a case about when violations of Illinois's Biometric Information Privacy Act ("BIPA") can be vindicated in court. Cothron alleges that White Castle collected and disclosed her fingerprints for a decade in violation of BIPA. White Castle is trying to scuttle the case, claiming that an individual is only able to sue the first time a company violates their BIPA rights because it is only then that an individual "loses control" of their biometric data and suffers a legal injury. White Castle argues that, even if the company continued to violate BIPA to this day, they shouldn't be held liable because the first violation was long enough ago that it falls outside the statute of limitations. But the Illinois Supreme Court held in Rosenbach v. Six Flags that every violation of BIPA confers the right to sue. The district court accordingly rejected White Castle's argument, but certified the question to a federal appeals court. EPIC filed an amicus brief in the appeals court and argued that White Castle's proposed rule would effectively "overrule the Illinois Supreme Court on a question of state law" by attempting "to import arguments about Article III standing into the BIPA statutory injury analysis." EPIC also argued that White Castle is "mistaken about the underlying purpose of BIPA" and that White Castle's rule "would in fact undermine BIPA’s purposes" because it "would remove the key incentive for companies who previously violated BIPA to come into compliance, adopt responsible biometric data practices, and seek informed consent." EPIC has filed amicus briefs in other BIPA cases, including Rosenbach v. Six Flags and Patel v. Facebook, and regularly participates as amicus in cases concerning the right to sue for privacy violations. (Jun. 7, 2021)

  • In an open letter, EPIC and a coalition of more than 175 civil society organizations, activists, technologists, and other experts called "for an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance." The letter urges lawmakers around the world to stop public investment in facial recognition, prohibit government and private use of facial recognition in public spaces, and mandate disclosure and reparations to individuals monitored or harmed by biometric mass surveillance systems. The letter identifies one-to-many facial recognition identification (comparing an image to a gallery of identified images) as inherently dangerous to the public because the databases of images enable discriminatory targeted surveillance and the technology itself enables comprehensive public surveillance. EPIC began pushing for a ban in 2019 with the launch of the Ban Face Surveillance campaign and recently joined over 40 other organizations to call for a ban on U.S. law enforcement's use of facial recognition technology. (Jun. 7, 2021)

  • The Eleventh Circuit recently ruled that the $425 million class action settlement arising from the 2017 Equifax data breach, which compromised the personal data of nearly half of all Americans, should move forward. The district court previously approved the settlement in 2020, but it has been stayed pending the appeal. The settlement was supported, by various government agencies including the CFPB, the FTC, and 48 state Attorneys General, but several class members raised objections about the adequacy of the relief. The Eleventh Circuit rejected those objections, and now the settlement will move forward in the lower court. Meanwhile, a related $575 million settlement entered into by Equifax and the FTC, CFPB, and most state Attorneys General in 2019 will allow people affected by the breach to file a claim for expenses occurred between January 2020 and January 2024 as a result of identity theft or fraud related to the breach; people can also be compensated for up to 20 hours of time spent on recovering from the breach. Equifax was also required to pay $125 for each person who claimed they were wronged by the breach, but the company has so far failed to do so. This was one of the largest data breaches in history, and it has revealed the dire need to improve data security in the United States. (Jun. 4, 2021)

  • The Washington Post Editorial Board called on Congress to impose a nationwide moratorium on facial recognition technology until it can pass legislation requiring technical and legal safeguards for the use of the technology. The Post cited the recent shutdown of a DC-area facial recognition system after an EPIC-led coalition organized against the system. In 2019, EPIC launched the Ban Face Surveillance campaign and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. EPIC has joined with other organizations to oppose school administrators' use of facial recognition, urge President Biden to halt the federal use of facial recognition, and press Congress to stop the use and investment in facial recognition. Most recently, EPIC joined over 40 other organizations to detail the issues with cops using facial recognition and call for a law enforcement ban on the technology's use. (Jun. 3, 2021)

  • In today’s decision in Van Buren v. United States, the Supreme Court determined that a police officer who improperly accessed a license plate record could not be held liable under a federal computer crimes law, the Computer Fraud and Abuse Act. EPIC highlighted the serious privacy concerns with government employees’ improper access to sensitive personal information in government databases in the amicus brief we filed in this case, and several justices echoes these concerns during oral argument. The outcome of this case highlights the urgent need for comprehensive privacy legislation. We need enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.

    The Court also did not resolve what it means for someone to have “authorization” to access a computer or to be “entitled” to access information in the computer. The Court endorsed a general “gates-up-or-down approach”—meaning an individual either has authorization to access the computer or specific information within the computer or it does not—but explicitly left open the question whether the prohibitions on access must be technical or whether they can be contract-based. The range of criminalized activities may, in some respects, still be much broader than even the Government was advocating. Certain website terms of service that prohibit specific individuals or groups from accessing the website may still be enforceable even if the individuals have no knowledge of the restrictions and the website owners do nothing else to limit access. An 18 year-old who accesses a website restricted to those over the age of 21 may violate the CFAA, but a police officer who knowingly accesses personal information to stalk and harass the individual does not.

    The Court also did not clearly answer more complicated access questions about web scraping, and the Court should grant the pending petition in LinkedIn v. hiQ Labs to resolve these questions. Web scraping involves accessing a computer using a technical method that is often prohibited by a website's terms of service and also blocked using technical barriers. EPIC filed an amicus brief in support of the petition. (Jun. 3, 2021)

  • In a statement of concerns, EPIC and a coalition of more than 40 privacy, civil liberties, immigrants rights, and good government groups stated that "the most comprehensive approach to addressing the harms of face recognition would be to entirely cease its use by law enforcement." The statement lists six concerns with police use of the technology that can only be addressed by halting its use. The coalition calls for a moratorium or ban on use of facial recognition and urges Congress to not preempt state or local bans in any federal legislation addressing facial recognition. EPIC recently organized a coalition letter that led to the shutdown of a DC-area facial recognition system previously used on Black Lives Matter protesters. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. (Jun. 3, 2021)

  • An ordinance passed in King County, Washington bans "any person or entity acting on behalf of a King County administrative office or executive department" fromusing facial recognition technology or information derived from it. The ban includes the King County Sheriffs Department. Seattle's King County is the first county in the nation to ban government use of facial recognition technology. EPIC recently sought records on the US Postal Service's Internet Covert Operations Program use of Clearview AI facial recognition and other surveillance software. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. (Jun. 2, 2021)

  • WhatsApp previously threatened sanctions against users who would not accept the company’s new terms of use with weaker privacy protections, but backed down late Friday after a coalition of groups from around the world protested. Burcu Kilic, digital rights program director for Public Citizen, released the following statement in response: “Thank you for stopping what you never should have started. Now please also undo what you coerced millions of people into accepting.” In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinelyincorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." (Jun. 1, 2021)


  • The U.S. Innovation and Competition Act introduced recently by Senate Majority Leader Chuck Schumer would earmark $53 billion for technological and AI development yet fails to include critical safeguards for federal AI deployment. One section of the bill, the Endless Frontier Act, would significantly increase National Science Foundation funding to expand research and improve the diversity of the STEM workforce. The bill would also allocate funds for analyzing and combatting human rights violations in China and promoting "American Leadership" in AI development. Another section of the bill, the Advancing American AI Act, would incrementally improve the transparency and accountability of government AI use. The Office of Management and Budget would be tasked with ensuring that federal contracts for AI systems address "privacy, civil rights, and civil liberties," and each agency would be required to assemble and publish (when "practicable") an inventory of its AI systems. However, the bill—much of which tracks recommendations by the NSCAI—fails to establish binding limitations on federal AI use and offers little protection for members of the public injured by government-operated AI systems. EPIC previously urged the Commission to recommend substantive limits on AI to protect individuals against harmful, biased, invasive, and unreliable AI systems. (May. 28, 2021)

  • Senator Ed Markey (MA) and Representative Doris Matsui (CA) introduced the Algorithmic Justice and Online Transparency Act of 2021 today. The bill prohibits discrimination based on protected classes for algorithmic processes on online platforms, requires online platform companies to create and maintain documentation about their algorithms for review by the FTC, and sets out a standard for what safe and effective algorithmic processes would be. The bill also calls for the creation of an inter-agency task force to investigate discriminatory algorithmic processes including the Federal Trade Commission, Department of Housing and Urban Development, Department of Education, Department of Justice, and the Department of Commerce. EPIC endorses the bill, and has been advocating for Algorithmic Transparency and Equity, specifically urging state, federal, and international governments to regulate harmful AI guided by the Universal Guidelines for AI. Last year, EPIC petitioned the FTC to establish a rule making regulating algorithmic tools in order to address discrimination. (May. 27, 2021)

  • D.C. Attorney General Karl Racine filed a lawsuit today against Amazon alleging that the online retail giant has violated the District of Columbia Antitrust Act. The complaint accuses Amazon of stifling competition by imposing contractual clauses that prevent third-party sellers from offering lower prices outside of the Amazon platform. The lawsuit explains that the agreements ultimately lead to higher prices for consumers and less innovation. “Amazon wins because it controls pricing across the online retail sales market, putting itself at an advantage over everyone else,” Racine told reporters. “These restrictions allow Amazon to build and maintain monopoly power.” In February, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs dark patterns to manipulate consumers when they attempt to cancel their Amazon Prime subscriptions. These dark patterns enable Amazon to continue collecting subscription fees and retain the personal data of misdirected subscribers. EPIC also signed onto a recent coalition letter calling for the Federal Trade Commission to investigate Amazon’s use of dark patterns in the Prime cancellation process. EPIC has long argued that anticompetitive practices and market consolidation in the technology sector pose a threat to privacy rights. (May. 25, 2021)

  • EPIC, through a Freedom of Information Act request and letter to the USPS Privacy Office, is seeking the required Privacy Impact Assessment for the Internet Covert Operations Program (iCOP) operated by the U.S. Postal Inspection Service. First revealed by Yahoo News in April, the iCOP uses Clearview AI's facial recognition system and a suite of social media monitoring tools to surveil individuals online, including protesters. EPIC also urged the USPS Privacy Office to fully comply with the E-Government Act of 2002 by proactively publishing privacy impact assessments online. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. (May. 25, 2021)

  • This week, the grand chamber of the European Court of Human Rights issued a final judgement in Big Brother Watch v. UK confirming that the UK's intelligence agency violated the right to privacy by systematically intercepting online communications without first applying necessary safeguards. The agency's mass surveillance program was "not in accordance with [EU] law," which only allows governments to retain data in an effort to combat "serious crime" and requires a court or administrative body to sign off on data collection. The UK law at issue was not limited to serious crime, nor did it require independent authorization; these "fundamental deficiencies" impermissibly increased the "risk of the bulk interception power being abused." Nevertheless, the grand chamber found that the agency's decision to operate a bulk interception program did not itself violate human rights, and the agency's sharing of sensitive digital intelligence with foreign counterparts--including with the NSA--was legal. Several chamber judges believed this ruling did not go far enough to condemn the sharing of wrongfully collected communications with other countries, noting the chamber "missed an excellent opportunity to fully uphold the importance of private life ... when faced with interference in the form of mass surveillance." EPIC has a strong interest in protecting the human right to privacy and has continuously opposed suspicionless mass collection of personal communications by domestic and foreign governments. EPIC participated in this case as a third-party intervenor and filed a brief describing U.S. intelligence authorities that allow the NSA to access the private communications of non-U.S. persons in violation of their rights. EPIC was also chosen by the Irish High Court to make amicus submissions in a case involving the international transfer of data from European servers to the U.S. in violation of E.U. law. (May. 25, 2021)

  • EPIC's Student Privacy Project has been selected for inclusion in the spring 2021 Tech Spotlight Casebook, a publication of the Harvard Kennedy School's Belfer Center for Science and International Affairs. The casebook "recognizes projects and initiatives that demonstrate a commitment to public purpose in the areas of digital, biotech, and future of work." The book highlights EPIC's recent efforts to halt the use of unfair, unreliable, and invasive remote proctoring tools and the D.C. consumer protection complaint EPIC filed against online proctoring firms. "Through meticulous research, the Student Privacy Project revealed the extent to which these companies collect and process student personal and biometric data," the casebook explains. "The complaint attempts to hold the five companies accountable for their practices by demonstrating how the data collection and processing practices may violate existing law." The casebook also recognizes recent work around census privacy protections, community control over police surveillance, racially biased speech recognition tools, and the use of "garbage" facial recognition to identify criminal suspects. A ceremony will be held Thursday, May 20 at 1 p.m. ET. (May. 19, 2021)

  • The Metropolitan Washington Council of Governments (MWCOG) informed EPIC today that the National Capital Region Facial Recognition System (NCR-FRILS) will be shut down by July 1, 2021. The system is used by police departments and government agencies in the DC, Maryland, and Virginia area. EPIC led a coalition that recently sent a letter to the MWCOG demanding an end to the system citing the dangerous nature of facial recognition and racial bias in facial recognition software. A recently passed law in Virginia requiring approval from the General Assembly before using facial recognition was going to curtail NCR-FRILS use in that state. The facial recognition system was first disclosed last year after it was used to identify a protester at a Black Lives Matter rally who was accused of assault. (May. 14, 2021)

  • In comments to the DHS's Data Privacy and Integrity Advisory Committee (DPIAC), EPIC urged a comprehensive review of DHS's Information Sharing Access Agreements (ISAAs) prioritizing the most sensitive types of data, information from marginalized groups, and agreements disclosing information to unreliable partners. EPIC's comments respond to DPIAC's tasking to provide guidance to the DHS Privacy Office after an OIG audit revealed that thousands of ISAAs had never been reviewed for compliance with privacy laws and regulations. EPIC previously urged DPIAC to undertake a comprehensive investigation of fusion centers for chronic privacy and civil liberties abuses. (May. 14, 2021)

  • The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (May. 14, 2021)

  • Today, Congresswoman Lori Trahan (MA-03) led a group of fellow Congressional Hispanic Caucus members in writing a letter calling on Facebook Chairman and CEO Mark Zuckerberg to reverse the company’s decision to require WhatsApp users to accept expanded data collection or leave the platform entirely. “We write to respectfully ask Facebook to consider reversing WhatsApp’s decision to update their new terms of service. We believe Facebook is potentially offering a false choice to users across the globe: accept the sharing of metadata with Facebook by May 15th or leave the platform altogether,” the lawmakers wrote. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." In their letter, the members highlight that pledge and the FTC's statement. (May. 11, 2021)

  • More than 40 state attorneys general have sent a letter to Mark Zuckerberg pressuring Facebook to drop its plans to launch a version of Instagram for children younger than 13. The Attorneys General, led by Massachusetts Attorney General Maura Healey, expressed bipartisan support to protect children’s privacy and their physical and mental health. The AGs raised concerns about Facebook’s history of privacy incidents, stating “Facebook has a record of failing to protect the safety and privacy of children on its platform, despite claims that its products have strict privacy controls[.]” The Campaign for a Commercial-Free Childhood commented “If Facebook insists on plowing ahead, it’s the clearest sign yet that the company views itself as accountable to no one, even when it comes to the well-being of children, and must be regulated much more rigorously,” and lawmakers have similarly expressed concerns about children’s privacy issues with social media. EPIC signed on to a coalition letter by the Campaign for a Commercial-free Childhood that urged Zuckerberg to cancel plans to launch a version of Instagram for Children under 13. (May. 11, 2021)

  • According to a news report, the Biden Administration plans to rescind a proposed rule to massively expand the collection of biometric information from immigrants. The rule, proposed towards the end of the Trump Administration, would have granted the Department of Homeland Security broad authority to collect biometric data from immigrants and their families and associates. The rule would have enabled the collecting of palm prints, iris images, voiceprints, DNA, and images for facial recognition regardless of age. In comments to the Department of Homeland Security, EPIC opposed the rule and urged the agency to rescind the proposed rule. EPIC argued that DHS']s broad authorization to collect biometrics was incompatible with the Department's Fair Information Practice Principle. EPIC also specifically called on the agency to suspend the use of facial recognition technology. Last year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (May. 11, 2021)

  • In comments to the Health and Human Services Department (HHS), EPIC opposed proposed changes to the HIPAA Privacy Rule reducing restrictions on disclosing patients’ Protected Health Information (PHI). HHS's proposed rule would expand the entities that can receive PHI without patient consent, lower the standard for disclosing PHI in the process of care coordination, and specifically authorized certain non-consensual disclosures of PHI for patients with mental illness and substance abuse disorders. EPIC argued that the modifications will expose patients to greater risk of data breach and increase barriers to receiving care for stigmatized populations without providing benefits to patients. Recently, EPIC Executive Director Alan Butler and Counsel Enid Zhou published a paper in the American University Law Review analyzing the increased collection of health data during the Covid-19 pandemic. (May. 7, 2021)

  • The White House has launched AI.gov, the new website of the National Artificial Intelligence Initiative Office featuring reports, policy priorities, and news about artificial intelligence from across the federal government. The site lists "Advancing Trustworthy AI" and "International Cooperation" as two of six top priorities for federal AI policy, embracing the Organization for Economic Cooperation and Development AI Principles and the G20 AI Principles. EPIC has urged both the White House and Congress to prioritize human rights over AI adoption and has recommended the OECD Principles and the Universal Guidelines for Artificial Intelligence as baseline frameworks for regulating AI and mitigating algorithmic harms. EPIC has also fought for transparency in AI policymaking, successfully suing the National Security Commission on Artificial Intelligence to enforce its public records and open meetings obligations. (May. 5, 2021)

  • Through a Freedom of Information Act request to the Department of Homeland Security, EPIC obtained records circulated in a 2018 election security meeting with members of the U.S. House of Representatives. On May 22, 2018, then-DHS Secretary Kirstjen Nielsen, then-Federal Bureau of Investigation Director Christopher Wray, and then-Director of National Intelligence Dan Coats held a classified briefing for members of Congress informing them of the risks to the election process and steps the administration was taking to assist state officials in ensuring election security. The briefing materials include charts on election infrastructure cyber risk scenarios and cybersecurity considerations, as well as compiled anecdotes of the DHS's engagement with state election security officials. These anecdotes highlighted how states have taken efforts to strengthen their election systems for the 2018 mid-term elections, including some states taking up the voluntary election security resources from DHS. EPIC sued the DHS for records about the agency’s assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency released hundreds of pages of records to EPIC about its role in election cybersecurity, with records revealing the agency's rocky initial involvement in election security following its 2017 designation of election infrastructure as critical infrastructure and how far the agency has come since then. The case is EPIC v. DHS, 17-2047 (D.D.C.). (May. 5, 2021)

  • In a letter to Spotify, EPIC and a coalition of over 100 recording artists, 69 non-profit organizations, and 10 prominent individuals urged the streaming service to publicly commit not to explore a newly-patented voice-recognition feature. Spotify's new patent would allow the company to identify individuals' "emotional state, gender, age, or accent" to recommend music. The coalition letter identified major concerns with the potential technology including emotional manipulation, discrimination, massive privacy violations, and increased inequality within the music industry. Spotify recently stated that the company has not implemented the technology, and claims to have "no plans" to do so. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries. (May. 4, 2021)

  • The Massachusetts Attorney General, following up on a letter from EPIC and a coalition of civil society groups, wrote to major pharmacies today seeking details about their collection and use of personal data from COVID-19 vaccine recipients. The federal government is coordinating with retail pharmacies to facilitate vaccine distribution. But as EPIC and coalition partners warned last month, some pharmacies "are requiring patients seeking access to the vaccine to register through their existing customer portals, which in turn exposes patients to broad personal data collection and marketing." The Massachusetts AG letter calls on pharmacies to explain what personal data they collect from vaccine patients, what disclosures they make, whether the pharmacies will use the data for commercial purposes, and whether the data is being stored separately from general customer information. "[A]ccess to life-saving vaccines should not be conditioned on a consumer's consent to provide personal data not necessary for the vaccination administration," the AG's letter explains. "Nor can consent to such data collection or marketing be presumed based on a consumer's desire to obtain a vaccination." The CDC recently issued a directive prohibiting health providers "from using any data gathered in the course of their participation in the CDC COVID-19 Vaccination Program, including any Protected Health Information or other Personally Identifiable Information, for commercial marketing purposes." EPIC and coalition partners also asked officials in California, Illinois, New York, and the District of Columbia to investigate and prevent pharmacies from putting vaccine patient data to commercial use. (May. 3, 2021)

  • A divided panel of the D.C. Circuit, ruling today in EPIC's case against the FAA Drone Advisory Committee, held that the committee can keep the records of its controversial working groups secret. EPIC filed suit in 2018 against the industry-dominated body, which ignored the privacy risks posed by the deployment of drones even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the committee was forced to disclose hundreds of pages of records under the Federal Advisory Committee Act. But a lower court ruled in 2019 that the records from the committee's working groups could be withheld from the public—a decision that the D.C. Circuit affirmed today. Judge Robert L. Wilkins, writing in dissent, accused the majority of "doing violence to the text" of the FACA and argued that the decision "undermines FACA's purpose and greenlights an easily abusable system[.]" Noting the "obvious privacy concerns that drones present" and the fact that the DAC was "stacked with industry representatives," Wilkins warned that "[w]e should look with suspicion upon agency efforts to circumvent FACA by using subgroups." The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (Apr. 30, 2021)

  • The Foreign Intelligence Surveillance Court (FISC) recently disclosed an opinion revealing that the FBI has repeatedly misused Section 702 of Foreign Intelligence Surveillance Act (FISA) to gather information in domestic investigations. Section 702 (sometimes referred to as the "PRISM" program) authorizes certain programs of surveillance of private communications for foreign intelligence purposes, without prior court approval, where the surveillance targets non-US persons located abroad. The law has been widely criticized, in part, because of the "backdoor search" loophole that allows domestic law enforcement officials to access Americans' communications without a warrant. The surveillance court previously found that the FBI's procedures for obtaining information through backdoor searches violated the Fourth Amendment. The newly published opinion demonstrates how the FBI has failed to reform these unlawful practices. An audit revealed that the agency searched FISA information 40 times last year while investigating a wide range of purely domestic crimes, including health-care fraud, gang violence, domestic terrorism by "racially motivated violent extremists," and public corruption. Again, the FISC expressed "concern[] about the [FBI's] apparent widespread [Section 702] violations." EPIC has long tracked FISA court orders and advocated for FISA reform. More recently, EPIC filed a Freedom of Information Act lawsuit seeking disclosure of a report concerning FBI use of Section 702 authority for domestic criminal investigations and participated as amicus to address the scope of U.S. surveillance authorities in the Court of Justice of the European Union. (Apr. 29, 2021)

  • In a letter to the Metropolitan Washington Council of Governments, an EPIC-led coalition of privacy, civil liberties, and good government groups urged the Council to end the National Capital Region Facial Recognition System (NCR-FRILS) project and disclose all documents associated with it. In a Washington Post article covering the coalition letter, EPIC Senior Counsel, Jeramie Scott, argued that "facial recognition is a particularly invasive surveillance technology that undermines democracy and First Amendment rights." NCR-FRILS is a facial recognition system used by police departments and government agencies in the DC, Maryland, and Virginia area. The system runs comparisons against a database of 1.4 million local mug shots. The project was never publicly announced and was only revealed during the prosecution of a Black Lives Matter protester last fall. EPIC previously submitted a series of open government requests to police departments in the DC-area seeking more information on the system. (Apr. 28, 2021)

  • A new poll from Morning Consult found that 83% of voters say that Congress should pass national data privacy legislation this year. Democrats (86%) and Republicans (81%) expressed bipartisan support for Congress to prioritize a federal privacy bill. The poll also found that voters place similar amounts of responsibility on both federal and state lawmakers, as well as federal regulators, to regulate data privacy. With respect to regulating how companies collect, store, and share personal information, 72% of voters said Congress is either “very responsible” or “somewhat responsible” while 79% said the same for federal agencies and 75% for state governments. Nearly 9 in 10 adults said it was either “very” or “somewhat” important to protect their most sensitive identifiable information under a privacy law, including Social Security number (89%), banking information (89%), biometric data (88%), and driver’s license number (88%). EPIC has called for comprehensive baseline federal legislation and the creation of a U.S. data protection agency, and has advocated for strong state privacy laws. (Apr. 27, 2021)

  • EPIC has filed an amicus brief urging an Alabama federal court not to upend the Census Bureau's system for protecting personal data collected in the 2020 Census. Alabama is challenging the Bureau's use of differential privacy, in which controlled amounts of statistical noise are added to published census data to prevent individuals from being identified and linked with their census responses. The Bureau recently demonstrated that sophisticated reidentification "attacks" can identify tens of millions of people from published census data unless stronger privacy safeguards are used. As EPIC argues in its brief, "differential privacy is the only credible technique to protect against such attacks, including those that may be developed in the future." EPIC's brief explains that federal law imposes on the Bureau an "affirmative duty to protect the privacy of census respondents—not merely to avoid direct, unfiltered publication of census responses." EPIC also argues that differential privacy "is not the enemy of statistical accuracy," but rather "vital to securing robust public participation in Census Bureau surveys[.]" EPIC has long advocated for the confidentiality of personal data collected by the Census Bureau. In 2004, Bureau revised its "sensitive data" policy after an EPIC FOIA request revealed that the Department of Homeland Security had improperly acquired census data on Arab Americans from following 9/11. In 2018, EPIC filed suit to block the citizenship question from the 2020 Census, alleging that the Bureau failed to complete several privacy impact assessments required under the E-Government Act. (Apr. 26, 2021)

  • The Supreme Court, ruling Thursday in AMG Capital Management v. Federal Trade Commission, sharply limited the FTC’s ability to obtain restitution for individuals harmed by companies’ unlawful trade practices. Disagreeing with years of FTC practice and numerous decisions by appellate courts, the Court ruled that a key provision in the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” As a result of the decision, the FTC must now go through a burdensome administrative process to force companies to give up ill-gotten gains rather than going directly to court. Acting Chairwoman Rebecca Kelly Slaughter responded that the decision is a ruling “in favor of scam artists and dishonest corporations, leaving average Americans to pay for illegal behavior.” Members of Congress have already proposed amendments to Section 13(b) of the FTC Act that would restore the Commission’s power to seek consumer redress. EPIC routinely advocates before the FTC for meaningful financial penalties against companies whose unlawful data and privacy practices harm consumers. (Apr. 23, 2021)

  • The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on “unacceptable” uses of AI such as general social scoring and “real time remote biometric identification” for law enforcement. The proposal also imposes testing and transparency obligations for "high-risk" uses of AI, including a publicly accessible EU database on stand-alone “high-risk” systems. The proposal requires notice to individuals when they interact with certain types of AI and “conformity” assessments for "high-risk" systems. The prohibitions on unacceptable AI are very limited and many of the strongest provisions are subject to vast exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. (Apr. 22, 2021)

  • The Florida House of Representatives today passed the Florida Privacy Protection Act, HB 969, on a 118-1 vote. The bill gives Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. EPIC and a coalition of privacy and consumer organizations had previously sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action the bill. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined." The Senate Rules Committee removed the private right of action provisions from the Senate bill, but the Senate could restore the crucial enforcement provision on the floor this week. (Apr. 21, 2021)

  • Following a report by the Tampa Bay Times about the Pasco County Sherriff’s broad-ranging predictive policing and scoring program, the Department of Education is investigating a Florida school district’s practice of giving the Sherriff access to students’ personal data. The disclosures may have violated the Federal Education Rights and Privacy Act, which places strict limits on the use of students’ educational records. In January, Rep. Robert Scott (D-VA), Chair of the House Committee on Education and Labor, called for an investigation of the Sheriff’s program, which used personal data to compile a list of students that the Sheriff believed could “fall into a life of crime.” EPIC has called for bans on secret scoring and mass surveillance and strict limits on the use of AI in the criminal justice system. (Apr. 21, 2021)

  • As part of EPIC's ongoing lawsuit for cell phone surveillance orders issued by federal prosecutors, the Department of Justice identified 75 orders and warrants for cell phone location data under § 2703(d) from the U.S. Attorney's Office for the Virgin Islands from 2016-2019. During the same period, the attorneys handled 283 criminal cases. The U.S. Attorney's Office for the Virgin Islands is one of the smallest districts in the country. In February, EPIC obtained the number of location data requests for the District of Delaware, the first of five districts that the DOJ has agreed to search for location data requests. EPIC is still waiting for responses from 3 of the agency's other prosecutors' offices and will continue to update its comparative table as each district releases more information. Currently prosecutors do not release any comprehensive or uniform data about their surveillance of cell phone location data. In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that the collection of cell phone location data without a warrant violated the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.). (Apr. 20, 2021)

  • The FTC announced Monday that the sale or use of racially biased algorithms is an unfair and deceptive trade practice in violation of the FTC Act. In a blog post, the Commission warned companies to ensure fairness and equity in their use of AI. The FTC cautioned companies to "Start with the right foundation," "Watch out for discriminatory outcomes," "Embrace transparency and independence," "Don't exaggerate what your algorithm can do or whether it can deliver fair or unbiased results," "Tell the truth about how you use data," "Do more good than harm," and "Hold yourself accountable–or be ready for the FTC to do it for you." The FTC cited its 2016 report on big data analytics and machine learning; its 2018 hearing on algorithms, AI and predictive analytics; and its 2020 business guidance on AI and algorithms. The post also cited a recent study from the Journal of the American Medical Informatics Association finding that AI may worsen healthcare disparities for people of color, even if an AI system was meant to benefit all patients. In 2019, EPIC filed a complaint with the FTC asking the Commission to investigate HireVue's use of opaque, unproven AI and to require baseline protections for AI use. Last year, EPIC petitioned the FTC to conduct a rulemaking on commercial uses of AI, including protections against discrimination and unfair bias. (Apr. 20, 2021)

  • A leaked draft of the European Commission's proposed AI regulation includes a ban on social scoring and strict limits on mass surveillance and other "high-risk" uses of AI. The draft regulation would generally prohibit AI which "manipulates human behaviour, opinions or decisions" to a person's detriment or which "exploits information or prediction about a person or group of persons in order to target their vulnerabilities[.]" The draft also requires notice to individuals when they interact with AI, prior authorization for the use of remote biometric identification tools (including facial recognition), and data impact assessments for "high-risk" systems. The draft is broadly worded and subject to exceptions—including exemptions for "investigating serious crime and terrorism"—but would impose a penalty of up to 4% of annual revenue on companies that violate the regulation. The official release of the proposed regulation is expected on April 21. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. (Apr. 14, 2021)

  • In an open letter released today, EPIC and twenty four civil rights and social justice organizations called on elected officials to ban corporate, private, and government use of facial recognition technology, suggesting Portland, OR's recent ban on facial recognition as a model. The letter also urges corporate leaders to ban the technology within their companies. The coalition notes recent uses of facial recognition to monitor workers and instances of wrongful firings when facial recognition systems mis-identified black gig workers. EPIC and a coalition recently urged New York City Council to enact a comprehensive ban on facial recognition. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries. (Apr. 14, 2021)

  • As the Florida Legislature considers pending privacy bills, HB 969 and SB 1734, EPIC is urging lawmakers to enact strong privacy protections for all Floridians. The House Commerce Committee is today hearing HB969, would give Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. In written testimony, EPIC urged committee members to further strengthen the bill to prohibit discriminatory uses of data, remove the "right to cure" provision, require data minimization, support global opt-out mechanisms, ban pay-for-privacy schemes, and provide enhanced safeguards for sensitive uses of data. EPIC had previously led a coalition of groups urging Florida lawmakers to preserve the private right of action in the bills. (Apr. 14, 2021)

  • A bill passed in Virginia will ban local law enforcement agencies from using facial recognition technology without prior legislative approval starting July 1, 2021. Even when such approval is given, the bill further requires local police agencies to have "exclusive control" over the facial recognition systems they use, preventing the use of Clearview AI and other commercial FR products. However, Virginia State Police and other state law enforcement agencies may continue to use facial recognition without legislative approval. EPIC and a coalition recently urged New York City Council to enact a comprehensive ban on facial recognition. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries. (Apr. 9, 2021)

  • EPIC and a coalition sent letters to Attorney General Garland and the Senate Judiciary Committee urging them to conduct oversight and review agency implementation of the Freedom of Information Act. The coalition requested the Senate Judiciary to hold an oversight hearing on agency FOIA compliance. The committee's last oversight hearing on FOIA was more than three years ago. The letter to Senate Judiciary states, "[I]t is imperative that the Committee provide oversight of agencies' compliance with FOIA, both to understand FOIA implementation by the Trump administration, as well as to seek commitments to comply with the law from the newly confirmed Biden administration officials." The coalition also asked Attorney General Garland to follow the precedent of many former AGs and issue a memorandum to agencies on how to interpret and apply the FOIA and to support legislative reform. During Sunshine Week, Attorney General Garland remarked that for the Justice Department to succeed, it must adhere to "the principles that have become core to our DNA" and that "faithful administration of FOIA is essential to American democracy." EPIC recently published its 2021 FOIA Gallery highlighting EPIC's most significant open government cases and records obtained through government records requests. (Apr. 8, 2021)

  • A trove of sensitive personal data from more than 500 million Facebook users was posted online over the weekend, according to press reports. The leaked data includes names, phone numbers, email addresses, birthdates, location information, and biographical details. The original breach of personal data appears to have occurred in 2019. At least one privacy regulator, the Irish Data Protection Commissioner, has launched an investigation into Facebook's handling of the breach. The Commissioner's office said today that it had "received no proactive communication from Facebook" following the disclosure of personal data. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook. (Apr. 6, 2021)

  • In September 2020, the Department of Housing and Urban Development released a final rule creating a defense to a discrimination claim under the Fair Housing Act where “predictive analysis” tools are not "overly restrictive on a protected class" or where they “accurately assessed risk.” Shortly after, a federal judge in Massachusetts blocked the rule, saying the regulation would "run the risk of effectively neutering disparate impact liability under the Fair Housing Act.” Today, American Bar Association President Patricia Lee Refo urged the agency to "act immediately to withdraw the 2020 FHA Rule and to adopt new guidance and a new rule to ensure the danger of algorithmic bias is adequately tackled.” EPIC and several others warned the federal housing agency during the initial rule announcement that providing such a safe harbor for the use of algorithms in housing without imposing transparency, accountability, or data protection regulations would exacerbate harms to individuals subject to discrimination. EPIC has called for greater accountability in the use of automated decision-making systems, including the adoption of the UGAI principles and requirements for algorithmic transparency. (Apr. 6, 2021)

  • EPIC and a coalition of privacy and consumer organizations today sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action in two pending privacy bills, SB 1734 and HB 969. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined." (Apr. 5, 2021)

  • The Privacy and Civil Liberties Oversight Board released its report on Executive Order 12333, which provides broad legal authority for data collection. The Oversight Board conducted three deep-dives into 12333-related counterterrorism activities—two on classified CIA programs and one on NSA’s XKEYSCORE. XKEYSCORE is a tool used to search data collected under Executive Order 12333 that was revealed by the Snowden revelations. The report lacks specifics on the 12333 programs the Board reviewed, but according to the Board the focus was on programs that either likely collected US persons information, targeted US persons, or occurred in the US. The report also does not indicate the specific advice or recommendations the Board provided, but it does reveal that many intelligence agencies were using guidelines to protect US persons that had not been updated since the 1980s or were never implemented as required by 12333. EPIC previously urged the Oversight Board to conduct a review of 12333. (Apr. 2, 2021)

  • EPIC and a coalition of civil society groups urged officials in five states today to investigate major pharmacy chains over their collection and use of personal data from patients receiving COVID-19 vaccines. The federal government has partnered with retail pharmacies to expand vaccine distribution, including CVS, Walgreens, Walmart, and Kroger. But as the coalition letter explains, some pharmacies "are requiring patients seeking access to the vaccine to register through their existing customer portals, which in turn exposes patients to broad personal data collection and marketing." According to a recent report, CVS executives "plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them." The coalition urged state consumer protection authorities in California, Illinois, Massachusetts, New York, and the District of Columbia to conduct investigations, to prohibit the use of vaccine registrant data for commercial purposes, and to require pharmacies to separate vaccine registrant information from their general customer data. "Patients should not have to trade unrestricted use of their sensitive personal information for a life-saving vaccine," the letter argues. "We believe these practices are unfair and deceptive and should be halted immediately." The coalition called on state officials "to remove barriers to access the vaccine and promote an equitable vaccine distribution process by protecting the personal data of vaccine recipients." (Apr. 2, 2021)

  • The California Supreme Court held today that all parties must consent to the recording of a cellular phone call under the state's Invasion of Privacy Act. In Smith v. LoanMe, an individual alleged that a loan servicer had recorded their call without obtaining consent from the called party. The lower court found that the law's ban on recording calls without consent only applied to eavesdroppers and did not apply when one of the parties to the communication recorded the call. The lower court ruling went against decades of cases and guidance that held California was a "two party consent" state. The California Supreme Court reversed and held that the law prohibited both eavesdroppers and parties to a call from recording without consent. The Court recognized that the California legislature intended to create an all-party consent regime and that recording a call without consent of all parties "can implicate significant privacy concerns, regardless of whether a party or someone else is performing the recording." EPIC filed an amicus brief arguing that recording a call without consent of all parties "poses unique threats to privacy." EPIC routinely files amicus briefs in cases implicating consumer privacy. (Apr. 1, 2021)

  • Today, the U.S. Supreme Court ruled in Facebook v. Duguid that individuals can only claim protection under the Telephone Consumer Protection Act from unwanted calls made using a mass dialing system or "autodialer" if the system uses a random or sequential number generator to either store or produce the numbers called. EPIC filed an amicus brief urging the Court to interpret the autodialer restriction broadly to include systems that automatically dial numbers stored in lists or databases. EPIC argued that "narrowing the autodialer definition would not protect privacy" but would instead "put the most widely used mass dialing systems outside the scope" of the ban.

    Many robocallers and would-be robocallers will interpret the Court’s decision today as essentially abrogating the autodialer restriction, which will likely lead to a surge in unwanted automated calls to cell phones. Automated calls are already a daily nuisance for Americans. Individuals increasingly ignore calls from unknown numbers because they assume the calls are robocalls, which has caused particular harm to contact tracing during COVID-19. Congress must update the autodialer restriction to protect Americans from the coming onslaught of unwanted automated calls.

    But the Court’s decision today is not a total victory for robocallers. The decision does not limit the definition of an autodialer to systems that create random or sequential telephone numbers. The Court says that autodialers include systems that use random or sequential number generators to order numbers in a list. Because computer programs commonly use sequential number generators to store or pull information from a list, it is hard to think of a mass dialing system that would not use a sequential number generator at some point in the program.

    Litigation will continue over the scope of the autodialer definition. Americans need protection from robocallers now, and Congress should act swiftly to update the autodialer restriction.

    (Apr. 1, 2021)

  • EPIC and a coalition of civil-rights and community-based organizations submitted a letter to New York City Council Speaker Corey Johnson urging the council to introduce a comprehensive ban on government use of facial recognition. The letter highlights NYPD's use of facial recognition along with other NYC agencies, the potential for far-reaching surveillance posed by facial recognition technology, and the risk of errors from racial bias in facial recognition algorithms and poor police practices. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition, gathered support from over 100 organizations and experts from more than 30 countries. (Mar. 30, 2021)

  • Acting FTC Chairwoman Rebecca Kelly Slaughter today announced the creation of a new rulemaking group within the FTC. The announcement follows criticism that the FTC has not adequately used its authorities, including its rulemaking power, to address consumer protection harms and promote competition. Section 18 of the FTC Act enables the Commission to issue trade regulation rules to address unfair or deceptive practices that occur commonly. Once the commission has promulgated a trade regulation rule, it may seek civil penalties for each violation of the rule. “I believe that we can and must use our rulemaking authority to deliver effective deterrence for the novel harms of the digital economy and persistent old scams alike,” Acting Chair Slaughter said. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. (Mar. 25, 2021)

  • The Massachusetts Supreme Judicial Court ruled today that Facebook could be required to disclose to the Attorney General certain factual information about privacy-abusive apps discovered during the company's investigation into the Cambridge Analytica scandal. Facebook had claimed that all information it collected was protected by attorney-client and attorney work product privileges because the company's investigation was led by attorneys in anticipation of litigation. The Massachusetts high court disagreed that the attorney client privilege applied to all of the records, and remanded to the trial court to determine if the records contain factual work product that must be turned over to the Attorney General. EPIC filed an amicus brief in the case urging the court to "reject Facebook's attempt to use litigation threats as an excuse to prevent the facts of its breach of user trust from coming to light." EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook. (Mar. 24, 2021)

  • This week, the U.S. Supreme Court denied a petition for review in In re: Facebook, Inc. Internet Tracking Litigation, a case challenging Facebook's use of "cookies" to track internet browsing activity even when users were logged out of their Facebook accounts. The U.S. Court of Appeals for the Ninth Circuit held that Facebook's use of cookies to track Internet users browsing other websites might violate the federal Wiretap Act because Facebook was not an authorized party to those communications. Facebook's efforts to get the Supreme Court to reject this holding of the Ninth Circuit failed, and now the case will move forward. EPIC filed an amicus brief in the Ninth Circuit in this case and has filed briefs opposing settlements in other cases challenging cookie-based surveillance. EPIC has long advocated against the use of cookies and other surveillance tools to track people online. EPIC continues to advocate for clear rules and restrictions on web tracking as companies replace cookies with new surveillance techniques that would do little to protect privacy online. (Mar. 22, 2021)

  • EPIC filed a series of open government requests seeking information on fusion centers' role in monitoring Black Lives Matter protests this summer and on fusion centers' possession of advanced surveillance technologies including location tracking services, cell phone data extraction tools, facial recognition, and social media monitoring tools. EPIC sent requests to federally funded fusion centers in Pennsylvania, South Carolina, Northern California, and North Dakota. Fusion centers are state or regional intelligence units that provide police with access to advanced surveillance technologies while relaying information to the Department of Homeland Security. EPIC previously urged DHS's DPIAC committee to investigate fusion centers and recommend ending federal funding of fusion centers. (Mar. 18, 2021)

  • Yesterday, Megan Iorio, counsel at EPIC, presented oral argument as a friend of the court in Bozzi v. Jersey City, a New Jersey Supreme Court case concerning a commercial open government request for names and addresses of dog license registrants. The lower court found no privacy interest in the information and ordered its release. Ms. Iorio urged the court to reverse and to find that personal information in government records should only be disclosed when a government transparency interest could be served by disclosure. The argument drew on the historic and constitutional origins of the right to informational privacy, federal courts' interpretation of the Freedom of Information Act's privacy exemptions, and New Jersey's strong constitutional right to privacy. EPIC filed an amicus brief in the case and argued before the court last year in State v. Andrews about whether an individual can be compelled to disclose their cell phone passcode. (Mar. 16, 2021)

  • The Federal Trade Commission's 2013 failure to sue Google for antitrust violations went against the advice of FTC staff and disregarded evidence of Google's growing market dominance, according to records obtained by Politico. FTC antitrust attorneys advised the Commission to bring suit against Google to block future deals with mobile companies making Google an exclusive search provider. But the Commission rejected that recommendation on the view that mobile search was only a small part of the search market, a conclusion that quickly proved outdated. The records published by Politico also reveal that Amazon and Facebook—both of which are now facing their own antitrust proceedings—privately pushed the FTC to take enforcement action against Google. Google's anticompetitive practices in search and targeted advertising are the basis of two antitrust lawsuits brought by the Department of Justice and state attorneys general last year. On Monday, Texas announced that it would broaden its lawsuit to cover Google's planned replacement for third-party cookies—so-called "FLoCs"—which would do little to protect privacy but further consolidate Google's market power. EPIC has long targeted anticompetitive practices by Google, including its acquisition of DoubleClick and bias in YouTube search rankings. EPIC also helped bring about the FTC's 2011 order establishing privacy safeguards for Google users and sued when Google violated that order. (Mar. 16, 2021)

  • California Attorney General Xavier Becerra has announced updated regulations under the California Consumer Privacy Act (CCPA) that ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, the regulations prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out. "These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said Attorney General Becerra. Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." Last month, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process. Next month, the FTC plans a workshop on "Bringing Dark Patterns to Light." (Mar. 16, 2021)


  • In celebration of Sunshine Week, EPIC has unveiled the 2021 FOIA Gallery. Since 2001, EPIC has annually published highlights of EPIC's most significant open government cases and documents obtained through government records requests. For example, EPIC's 19-month legal effort in EPIC v. DOJ resulted in the release of new sections from the previously redacted Mueller Report, including details about Roger Stone and passages concerning decisions by Special Counsel Mueller to not charge particular individuals with criminal offenses. EPIC also prevailed twice in EPIC v. AI Commission, in which the court forced the Commission to hold public meetings and disclose thousands of pages of records to EPIC. In this year's FOIA gallery, EPIC also highlights records about DHS's initial response to election cybersecurity threats, a DOJ report on predictive policing and AI, records about contact tracing efforts from North Dakota and Utah, and records about CBP's electronic device border search audits. (Mar. 15, 2021)

  • In a joint statement by the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), the agencies terminated a 2018 agreement that previously formalized the practice of using information obtained from unaccompanied migrant children to deport relatives and other potential sponsors. EPIC previously urged HHS to abandon the practice of sending this data to DHS when the agency proposed a rule in 2018 to formalize the policy. EPIC argued the proposed rule conflicted with a Privacy Impact Assessment and undermine the welfare of unaccompanied children. EPIC also joined over 100 other groups to call for an end of the practice, stating that DHS has "taken a process designed to protect children and made it into a tool that uses them to find and deport their families." EPIC has previously warned Congress about the misuse of immigrant data by DHS. (Mar. 12, 2021)

  • Around 150,000 networked and facial recognition-capable security cameras located in hospitals, schools, homes, and prisons were accessed in a security breach of Verkada, a surveillance company. The breach exposed vulnerable populations surveilled by Verkada’s cameras and highlights the degree to which unregulated surveillance and data collection are ubiquitous within the United States. Verkada’s software offerings include facial recognition tools, exacerbating the risks created by its surveillance systems. EPIC, along with a coalition of advocates, warned about similar risks for Amazon’s Ring Doorbell and called for a ban on facial recognition as well as regulation of surveillance and data governance. (Mar. 12, 2021)

  • In a letter to Secretary of Homeland Security Alejandro Mayorkas, EPIC and a coalition of civil rights, civil liberties, immigrant's rights, technology, and privacy organizations urged the agency to rescind a Notice of Proposed Rulemaking massively expanding Customs and Border Protection's (CBP's) use of biometrics, and to suspend the use of facial recognition across DHS. The NPRM was originally issued November 19, 2020 and re-published on February 9, 2021 in a sign that DHS and the Biden Administration intend to go forward with the rulemaking. EPIC submitted comments on the original NPRM, urging CBP to suspend its use of facial recognition, or in the alternative use only 1:1 face comparison. Earlier, EPIC voiced opposition to a broader DHS rulemaking authorizing widespread use of biometrics, including facial recognition, throughout the agency. (Mar. 10, 2021)

  • Last week, the Supreme Court held in U.S. Fish & Wildlife Service v. Sierra Club that documents reflecting an agency's last view on a proposed rule are deliberative and exempt from disclosure under FOIA unless the agency treats the documents as final. In her first majority opinion since joining the bench, Justice Barrett interpreted the deliberative process privilege broadly, writing that, although the documents in this case represented "the last word within the [agency]," the documents "were not last because they were final; they were last because they died on the vine." Because the agency never formally finalized the documents or transmitted them in full to the agency that proposed the rule, the documents could be withheld. In its amicus brief, EPIC had urged the Court to narrowly interpret the deliberative process privilege. EPIC warned that a broad interpretation would encourage agencies to "continue to interpret the [privilege] broadly and cause years of delay and unnecessary litigation." EPIC regularly litigates FOIA cases and files amicus briefs on open government issues. (Mar. 9, 2021)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence. The documents include further internal emails from Commission chair and former Google CEO Eric Schmidt. The Commission recently issued its final report on the use of AI in national security and defense settings. The report makes key recommendations concerning AI impact assessments and audits but fails to propose substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year. EPIC successfully sued the AI Commission in 2019 to enforce its transparency obligations, forcing the Commission to hold open meetings and disclose thousands of pages of records. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Mar. 9, 2021)

  • EPIC has filed an amicus brief in TransUnion LLC v. Ramirez, urging the U.S. Supreme Court to hold that people can sue when their privacy rights are violated, regardless of whether they allege that the violation led to other harms. The case concerns a suit brought under the Fair Credit Reporting Act (FCRA), one of many laws that create privacy rights for individuals to help them maintain control over their personal information. Ramirez and many others sued after TransUnion violated the FCRA, but the company argued that they don't have "standing" to sue. Other tech companies also filed a brief arguing that the Supreme Court should limit standing in privacy lawsuits. Standing is a constitutional doctrine that dictates when federal courts have authority to resolve cases. EPIC argued that privacy plaintiffs have standing to sue and that "standing was never meant to be a complicated inquiry or a substantial barrier to the vindication of legal rights." EPIC warned that "[c]ourts that require proof of consequential harm are usurping the legislative role and rewriting these privacy laws" because "it is not the business of courts to tell Congress which rights are enforceable, and which are not." EPIC previously filed an amicus brief in Spokeo and frequently files amicus briefs in cases interpreting standing under a variety of privacy laws. (Mar. 9, 2021)

  • EPIC, together with the ACLU and EFF, recently filed an amicus brief in Wisconsin v. Burch, urging the Wisconsin Supreme Court to stop police from conducting warrantless forensic searches of cell phones and indefinitely retaining the data based on vague consent forms. The defendant in the case had verbally consented to a limited search of his text messages during a hit-and-run investigation. Police then asked him to sign a vague consent form that did not specify his phone would be forensically analyzed and the data stored indefinitely. Police used a forensic device to download the entire contents of the phone, retained a full copy, and disclosed data that was outside the scope of his limited verbal consent to another department for use in an unrelated investigation. In their brief, EPIC, ACLU, and EFF argued that someone who consents to a limited search does not reasonably expect police may access, copy, and store vast amounts of personal information held on their phone. These searches violate the Fourth Amendment by “enabl[ing] the State to rummage at will among a person’s most personal and private information whenever it wanted, for as long as it wanted” without a warrant. EPIC regularly files amicus briefs challenging unlawful access to cell phone data. (Mar. 8, 2021)

  • Virginia Governor Ralph Northam has signed the Virginia Consumer Data Protection Act into law. "It is good to see Virginia and other states taking action to protect the privacy of their residents. States have always played a key role in establishing privacy protections," EPIC Policy Director Caitriona Fitzgerald said. "But in 2021 we need a more comprehensive and proactive approach to privacy than what Virginia adopted. We need privacy laws in the United States that address current business practices and protect individuals from all forms of corporate surveillance, algorithmic unfairness, manipulative design, and discrimination. We need privacy laws that minimize the data collected about us and encourage innovation in privacy enhancing technologies. And we need robust enforcement of these rules to make sure that the underlying business practices actually change." (Mar. 3, 2021)

  • The National Security Commission on Artificial Intelligence has issued its final report on the use of AI in national security and defense settings. The report urges Congress and the President to implement key safeguards on federal AI deployment, including mandating AI impact and risk assessments, updating standards for Privacy Act notices and privacy impact assessments, establishing an independent auditor for AI systems, empowering the Privacy and Civil Liberties Oversight Board to conduct AI oversight, and establishing a task force to recommend legal restrictions on the use of AI. However, the report fails to propose any substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year. "Unless express, binding limits on the use of AI are established now, the technology will quickly outpace our collective ability to regulate it," EPIC wrote. "The Commission cannot simply kick the can down the road, particularly when governments, civil society, and private sector actors have already laid extensive groundwork for the regulation of AI." Controversially, the AI Commission's final report also fails to endorse a ban on the use of autonomous weapons. The report was approved at the Commission's final meeting, which was open to the public as a result of EPIC's lawsuit. EPIC successfully sued the AI Commission in order to enforce its transparency obligations, forcing the Commission to hold open meetings and disclose thousands of pages of records. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Mar. 2, 2021)

  • EPIC has filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process. Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." Amazon employs dark patterns when customers attempt to cancel their Amazon Prime subscriptions, effectively preventing them from ending their memberships, charging users recurring fees, and continuing to collect, retain, and use the personal data of misdirected subscribers. EPIC's complaint calls on the D.C. Attorney General to halt Amazon's use of dark patterns. EPIC also warned the company that it is prepared to file suit under D.C.'s consumer protection law if Amazon fails to correct its unlawful business practices. EPIC recently signed onto a coalition letter urging the FTC to investigate Amazon's use of dark patterns in the Prime cancellation process. (Feb. 28, 2021)

  • In letter to the Biden administration, EPIC and a coalition of 40 privacy, immigration, and civil liberties organizations urged the administration to abandon the proposed U.S. Citizenship Act of 2021 as an extension of the Trump administration's border policy. The proposed legislation would direct DHS to deploy a bevy of biometric and other surveillance technologies at points of entry and along the southern border. The letter describes how such technologies endanger the lives of migrants by pushing them onto more dangerous travel routes. The use of surveillance technologies at the border inevitably extends into the interior, where they are deployed against protesters, communities of color, and indigenous peoples. EPIC recently urged DHS to rescind a proposed rule increasing the agency's collection of biometric information. (Feb. 25, 2021)

  • In comments to the New York Police Department, EPIC called for meaningful limits on the use of mass surveillance technologies including facial recognition, airplanes and drones, automated license plate readers, and social media monitoring tools. EPIC also joined with privacy and civil liberties advocates and academics in coalition comments urging the NYPD to make a good faith effort to meet the requirements of the Public Oversight of Surveillance Technologies (POST) Act. The POST Act requires the NYPD to publish impact statements and use policies for 36 surveillance technologies. The Department's draft policies fail to disclose necessary information including detailed data storage, retention, and auditing practices, do not name the vendors of these technologies, and gloss over systemic racial discrimination in the use of these technologies with boilerplate language. The disclosures illuminate the use of technologies by the NYPD that enable mass surveillance and have extensive documented risks of bias and inaccuracy. EPIC leads a campaign to Ban Face Surveillance, and through the Public Voice coalition gathered support from over 100 organizations and experts from more than 30 countries. (Feb. 25, 2021)

  • EPIC and a coalition of 42 other organizations sent a letter to President Biden to commit to making transparency a top priority in his new administration. President Biden has pledged to "bring transparency and truth back to government," and advocates like EPIC intend to hold his administration accountable to these promises. The group asked the President to, among other things: direct agencies to adopt new Freedom of Information Act guidelines that prioritize transparency and the public interest; direct the Attorney General to issue new FOIA guidance; assess, preserve, and disclose key records of the previous administration; endorse legislative improvements for public records laws like FOIA and the Public Records Act; and seek funding increases for public records laws. The letter emphasized that "[a]s our country's history has shown us time and time again, when government secrecy proliferates, so do civil liberties violations and obstacles to democratic accountability." EPIC's Open Government Project frequently makes use of the FOIA to obtain information from the government, often litigating to force disclosure of agency records that impact critical privacy interests. (Feb. 22, 2021)

  • The Department of Justice has, after more than three years, finally begun to respond to EPIC's request for cell phone surveillance orders issued by federal prosecutors. EPIC first requested copies of the orders in 2017 and then filed a lawsuit against the Justice Department in 2018 when the agency failed to respond. The agency has now begun issuing responses from 5 of its U.S. Attorneys' Offices. The first response is from the District of Delaware, and shows that from 2016-2019 the prosecutors in that office had 150 applications and orders for cell phone location data under § 2703(d). Over that same period the attorneys handled 351 criminal cases. EPIC is still waiting for responses from 4 of the agency's other prosecutors' offices. EPIC will maintain a comparative table as each district releases more information. Prosecutors do not currently release any comprehensive or uniform data about their surveillance of cell phone location data. In contrast, the Administrative Office for the U.S. Courts releases detailed reports each year about the use of federal wiretap authority. The U.S. Supreme Court ruled in 2018 in Carpenter v. United States that collection of cell phone location data without a warrant violated the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C). (Feb. 22, 2021)

  • In a coalition letter, EPIC and over 40 other privacy, civil liberties, and civil rights groups called on the Biden administration to 1) place a moratorium on federal use of facial recognition and other biometric technologies, 2) stop state and local governments from purchasing facial recognition services with federal funds, and 3) support the Facial Recognition and Biometric Technology Act. The coalition letter highlights the threat of facial recognition to create a panopticon of surveillance, the particular harms to people of color, women, and youth from mis-identification by facial recognition, and widespread adoption of facial recognition without public input. Last year, EPIC and a coalition of privacy, civil liberties, and civil rights groups urged Congress to pass Senator Markey's Facial Recognition and Biometric Technology Act bill. In 2019, EPIC launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. (Feb. 17, 2021)

  • Christine Wilson, one of four current members of the Federal Trade Commission, said Friday that she is open to using the FTC's rulemaking authority to regulate data privacy. "I would hope that Congress will act, but if Congress doesn't act, maybe we do spend that time," Politico quoted Commissioner Wilson as saying during a Silicon Flatirons event. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. Acting FTC Chair Rebecca Kelly Slaughter and Commissioner Rohit Chopra have previously signaled their support for using the FTC's rulemaking authority to address consumer privacy issues. (Feb. 12, 2021)

  • EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers. Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers. (Feb. 9, 2021)

  • EPIC and the National Consumer Law Center have filed an amicus brief in Lindenbaum v. Realgy, LLC, urging the Sixth Circuit to reject immunity for illegal robocalls made between 2015 and 2020. The case follows the Supreme Court’s decision in Barr v. American Association of Political Consultants, in which the Court held that an exception added in 2015 to the decades-old robocall restriction was unconstitutional and must be severed from the broad robocall ban. As defendant in a separate robocall suit, Realgy argued that the Supreme Court’s decision meant that the broad robocall ban was unenforceable for the period that the unconstitutional exception was in effect, from 2015-2020. The district court agreed and granted Realgy’s motion to dismiss. EPIC and NCLC filed an amicus brief arguing that granting robocallers immunity “would reward those who made tens of billions of unwanted robocalls and deprive consumers of any remedy for the incessant invasion of their privacy.” EPIC regularly files amicus briefs supporting consumers in illegal robocall cases. (Feb. 2, 2021)

  • In comments responding to the National Institute of Standards and Technology's draft Federal Information Processing Standards for personal identity verification (ID cards and digital identity verification), EPIC urged the agency to adopt more privacy protective technology for federal employees and contractors. EPIC drew upon expertise from the Advisory Board for these comments. EPIC recently urged the Department of Homeland Security to suspend a new counterintelligence system of records which will collect biometric information. EPIC previously urged the Department of Transportation to provide more privacy protections for federal employees in the Insider Threat database. (Feb. 2, 2021)

  • EPIC presented the 2021 International Privacy Champion Awards this week to Justice K.S. Puttaswamy, retired Justice of the Kamataka High Court and lead plaintiff in the case that established the constitutional right to privacy in India and challenged the country’s mandatory biometric data collection program Aadhaar, and Senior Advocate Shyam Divan, who was the lead attorney on the case. EPIC Interim Executive Director Alan Butler emphasized the significance of the Puttaswamy case, noting that it “was groundbreaking in ways that will reverberate for decades to come.” The decision supports the recognition of privacy as a fundamental human right, and the case forced limits on the collection of biometric data in the world’s second largest country. The ceremony took place online at the annual conference on Computers, Privacy, and Data Protection. (Jan. 28, 2021)

  • The Hamburg Data Protection Authority has ruled that Clearview AI’s searchable database of biometric profiles is illegal under the EU’s GDPR and ordered the U.S. company to delete the claimant’s biometric profile. Clearview AI scrapes photos from websites to create a searchable database of biometric profiles. The database, which is marketed to private companies and U.S. law enforcement, contains over 3 billion images gathered from websites and social media. The claimant submitted a complaint to the Hamburg DPA after discovering that Clearview AI had added his biometric profile to the searchable database without his knowledge or consent. The DPA ordered Clearview to delete the mathematical hash values representing his profile but did not order Clearview to delete his captured photos. The DPA’s narrow order protects only the individual complainant because it is not a pan-European order banning the collection of any EU resident’s photos. The DPA decided that Clearview AI must comply with the GDPR, yet this narrow order places a burden on Europeans to have their profiles removed from the database. EPIC has long opposed systems like Clearview AI, filing an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws, submitting FOIA requests with several government agencies that use Clearview AI technology, and urgingthe Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Jan. 28, 2021)

  • EPIC Senior Counsel Jeramie Scott testified today to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy. HB218 and SB16 are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. "Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised," EPIC told the Committees. EPIC stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog. EPIC previously filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. [Watch the hearing]

    (Jan. 27, 2021)

  • In a report released on January 20, the European Parliament outlines the need for new legal frameworks for artificial intelligence and biometric surveillance. The report raises objections to both civilian and military uses of artificial intelligence, mass surveillance, and deepfakes. The European Parliament was particularly concerned with facial recognition technology, proposing a moratorium on its use in public and semi-public spaces. EPIC leads a campaign to Ban Face Surveillance through the Public Voice coalition. (Jan. 22, 2021)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence. The documents include emails from Commission chair and former Google CEO Eric Schmidt illustrating Schmidt’s close relationship with members of Congress. The records also reveal that the ethics disclosure form Schmidt filed with the Commission—a document that usually tops out at a dozen pages—was 38 pages long. EPIC’s FOIA request was recently highlighted in an American Prospect article on Schmidt’s role in Rebellion Defense, “a shadowy defense startup” that markets AI systems to the Defense Department. EPIC has twice prevailed in its open government case against the AI Commission, forcing the Commission to hold public meetings and disclose thousands of pages of records. In recent comments, EPIC called on the AI Commission to "advise Congress, as the nation's highest policymaking authority, to establish government-wide principles and safeguards for the use and development of AI." The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Jan. 20, 2021)

  • EPIC Equal Justice Works Fellow Ben Winters testified today before the Washington Legislature in support of a bill to establish transparency and accountability around state automated decision-making and ban certain dangerous applications of AI. Under SB5116, public and regularly updated algorithmic accountability reports of state uses of automated decision-making systems will be completed, AI-enabled profiling that produces significant legal effects will be prohibited, and other baseline protections will be enacted. EPIC has advocated for algorithmic transparency for several years, has issued calls to ban face surveillance, and tracks use of AI in the Criminal Justice System. (Jan. 20, 2021)

  • The Massachusetts Legislature has enacted a new law that prevents Massachusetts transit authorities from disclosing personal information related to individuals' transit system use for non-transit purposes and requires police obtain a search warrant before accessing personal data collected by the authorities. The law resolves many of the issues raised in Commonwealth v. Zachery, a case pending before the Massachusetts Supreme Judicial Court in which the government obtained, without a warrant, location data generated by the defendant's use of a Massachusetts Bay Transit Authority transit card. EPIC filed an amicus brief in the case. EPIC argued that disclosure of data collected by the transit authority should be limited to the purposes for which it was collected. EPIC further stated that "if the government seeks to access Charlie Card data for investigative purposes, it must do so with a warrant." The new law adopts both the disclosure limitation and warrant requirement that EPIC advocated for in its amicus brief to the Court. (Jan. 20, 2021)

  • The Federal Aviation Administration published the final rule for the operation of drones over people. The rule allows drones to operate over people without first obtaining a waiver to do so. The drone must meet certain requirements (e.g. the drone can't have exposed rotating blades), and the rule doesn't generally allow sustained flight over large gatherings of people outside. EPIC, in comments to the agency, argued that all drones operating over people should broadcast identifying information. In response to comments by EPIC and others, the FAA's final rule prohibits the operation of drones over "open-air assemblies" unless the drone meets the broadcast ID requirement that takes effect in September 2023. Through lawsuits and previous comments to the FAA, EPIC has repeatedly argued the FAA has an obligation to implement privacy safeguards for drones before they operate regularly over people. (Jan. 15, 2021)

  • Recently unveiled changes to WhatsApp's terms of service highlight the privacy and legal objections has EPIC long raised to Facebook's 2014 acquisition of the messaging platform. In early January, WhatsApp introduced a revision to its privacy policy that seemed to require app users to share extensive personal data with Facebook—an apparent violation of the privacy protections that originally fueled WhatsApp's growth. The policy change drove many WhatsApp users to turn to other secure messaging platforms including Signal and Telegram. WhatsApp later delayed the revision of its terms of service by several months and argued that the change only affected "business communication," but the episode underscores the dangers of a company built on the exploitation of personal data acquiring a company that has made explicit privacy commitments to its users. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinely incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." (Jan. 15, 2021)

  • Today, Google announced that it "completed its acquisition of Fitbit" in a $2.1 billion deal, even though the Department of Justice has not yet approved the merger. DOJ said that its investigation into the deal remains ongoing, and "[a]lthough the division has not reached a final decision about whether to pursue an enforcement action, the division continues to investigate whether Google's acquisition of Fitbit may harm competition and consumers in the United States." The announcement comes after Google gained EU antitrust approval for its Fitbit bid last month subject to limits on how it will use consumers' data, including pledging to not use Fitbit data for advertising purposes in Europe. EPIC has long opposed Google's acquisition of Fitbit, citing concerns about Google's history of data protection and privacy violations. In November 2019, EPIC told the House Judiciary Committee that the FTC should block the acquisition. EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services. (Jan. 14, 2021)

  • EPIC submitted comments to the Department of Homeland Security in response to a system of records notice and proposed exemptions from Privacy Act requirements for a new counterintelligence records system. DHS's proposed records system would permit nearly limitless collection of sensitive personal information and unchecked disclosure of that information to state, local and international agencies, and to private companies. DHS's proposed exemptions would eliminate all individual rights under the Privacy Act and exempt DHS from basic Privacy Act requirements, including limiting data collection to necessary information. EPIC recently insisted that DHS rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency. (Jan. 13, 2021)

  • The National Artificial Intelligence Initiative Office, created as part of the National Artificial Intelligence Initiative Act of 2020, was recently announced by the White House. According to the Act, the office will act as a point of contact for various federal artificial intelligence activities, conduct regular outreach about AI, and “promote access to and early adoption of the technologies, innovations, [and] lessons learned.” EPIC has recently submitted comments to the Office of Management and Budget and the National Security Commission on Artificial Intelligence advising the agencies to follow the Universal Guidelines for AI and push for actionable legal rights to protect against algorithmic harms. (Jan. 13, 2021)

  • HireVue, a major vendor of AI-based hiring tools, announced today that it will stop relying on "facial analysis" to assess job candidates. The move comes a year after EPIC filed a Federal Trade Commission complaint targeting HireVue's use of opaque algorithms and facial recognition. EPIC argued that HireVue's AI tools—which the company claimed could measure the "cognitive ability," "psychological traits," "emotional intelligence," and "social aptitudes" of job candidates—were unproven, invasive, and prone to bias. EPIC also highlighted HireVue's deceptive claim that it did not use facial recognition in its assessments. In announcing the change, HireVue acknowledged the public outcry over its use of facial analysis and said the technology "wasn't worth the concern." However, HireVue will continue to analyze biometric data from job applicants including speech, intonation, and behavior—all of which present similar privacy and discrimination risks. EPIC advocates for a moratorium on facial recognition and recently filed a complaint with the D.C. Attorney General explaining how online test proctoring companies use opaque, unreliable AI tools to monitor students. (Jan. 12, 2021)

  • European Digital Rights (EDRi), along with 61 civil society groups including EPIC, sent a letter today calling for the EU to introduce certain red lines in their upcoming European Commission proposal on Artificial Intelligence. The letter calls on the EU to prohibit the use of biometric mass surveillance, AI at the border, use of AI with social scoring, and use of predictive policing and other AI criminal risk assessment tools. "Without regulatory limits on the use of AI-based technologies," the letter says, "we face the risk of violations of our rights and freedoms by government and companies alike." EPIC has called for a moratorium on the use of face surveillance, and maintains resources on AI in the criminal justice system. (Jan. 12, 2021)

  • The Federal Trade Commission has reached a settlement with Everalbum, Inc., a California-based developer of a photo storage app, over allegations that it deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. The proposed order requires the company to delete the facial recognition technologies it illegally developed using user photos and videos. According to the FTC complaint, Everalbum represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. But the company allowed some Ever app users—those located in Illinois, Texas, and Washington state —to choose whether to turn on the face recognition feature, even though it was automatically active for all other users and could not be turned off. Commissioner Rohit Chopra noted in an accompanying statement that residents of those states were afforded stronger protections because their legislatures had passed laws regulating facial recognition and biometric identifiers. Everalbum's differential treatment of users illustrates why Congress must ensure that any proposed federal privacy law sets a baseline for the country while protecting the ability of states to enact stronger privacy laws. (Jan. 11, 2021)

  • The American Civil Liberties Union and the Electronic Frontier Foundation have asked the U.S. Supreme Court to reverse the New Jersey Supreme Court's decision in State v. Andrews, which allows the government to compel an individual to disclose their cell phone passcodes. EPIC filed an amicus brief in Andrews and presented oral argument to the New Jersey Supreme Court arguing that the vast troves of data stored in a cell phone require strong constitutional protections. State supreme courts have disagreed about the extent to which individuals are protected from compelled disclosure of their cell phone passcode. Some courts, like New Jersey and Massachusetts, have applied the "foregone conclusion" exception to require individuals to divulge their passcodes. Others, like Pennsylvania and Indiana, have refused to apply that exception and found that the Constitution protects against compelled disclosure of cell phone passcodes. (Jan. 11, 2021)

  • The Supreme Court has granted review in Americans for Prosperity v. Becerra to decide whether the First Amendment protects donors to charities from compulsory disclosure of their identifying information. A California law requires charitable organizations to identify donors who contribute above a certain amount annually in a form filed with the state. Americans for Prosperity and other charitable organizations challenged the law, arguing that the reporting requirement violates First Amendment rights to speech and association. The Ninth Circuit ruled that the law did not violate the First Amendment. EPIC filed an amicus brief in the Ninth Circuit, arguing that donor privacy is an important tradition and that, contrary to California's assurances, the data was at risk of public disclosure. EPIC frequently files briefs in First Amendment cases, including several before the Supreme Court. (Jan. 11, 2021)

  • The Federal Aviation Administration posted the agency's final rule for remote drone identification. The final rule will require all drones to broadcast drone ID information in real-time, eliminating the option in the proposed rule to forgo real-time broadcast and only submit drone ID information for retention by a third party. EPIC previously commented on the FAA's proposed rule, urging the FAA to require all drones to provide real-time public access to drone ID information. In 2015, EPIC argued that drones should be required to broadcast relevant information to the public while in operation. (Jan. 6, 2021)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security